[noise] New draft: more protocols and pre-shared keys
Trevor Perrin
trevp at trevp.net
Sun Jul 5 11:55:54 PDT 2015
https://github.com/trevp/noise/blob/master/noise.md
Previously the "0-RTT" handshake protocols doubled the 3x3 matrix of
protocols, resulting in 18.
But on further thought, the idea of the initiator having pre-knowledge
of the responder's ephemeral only makes sense when the initiator also
has pre-knowledge of the responder's static key. So I removed the
protocols where this isn't the case.
The previous set of protocols all provided maximum identity-hiding for
the initiator, but I think there are cases where it's worth
surrendering some identity-protection for fewer rounds and
authentication of the first message, e.g.:
https://moderncrypto.org/mail-archive/noise/2015/000162.html
Taking all this into account, the handshake protocols expand to a 4x4
matrix, denoted by two characters:
N_ = no static key for initiator
K_ = static key for initiator known to responder
X_ = static key for initiator transmitted to responder
I_ = static key for initiator immediately transmitted to responder
_N = no static key for responder
_K = static key for responder known to initiator
_E = static key plus a semi-ephemeral key for responder known to initiator
_X = static key for responder transmitted to initiator
I also made a few other cleanups, including allowing a preshared
symmetric key to initialize the session, because it's easy.
Trevor
More information about the Noise
mailing list