[noise] New draft: more protocols and pre-shared keys

Trevor Perrin trevp at trevp.net
Sun Jul 5 11:55:54 PDT 2015


https://github.com/trevp/noise/blob/master/noise.md

Previously the "0-RTT" handshake protocols doubled the 3x3 matrix of
protocols, resulting in 18.

But on further thought, the idea of the initiator having pre-knowledge
of the responder's ephemeral only makes sense when the initiator also
has pre-knowledge of the responder's static key.  So I removed the
protocols where this isn't the case.

The previous set of protocols all provided maximum identity-hiding for
the initiator, but I think there are cases where it's worth
surrendering some identity-protection for fewer rounds and
authentication of the first message, e.g.:

https://moderncrypto.org/mail-archive/noise/2015/000162.html

Taking all this into account, the handshake protocols expand to a 4x4
matrix, denoted by two characters:

 N_ = no static key for initiator
 K_ = static key for initiator known to responder
 X_ = static key for initiator transmitted to responder
 I_ = static key for initiator immediately transmitted to responder

 _N = no static key for responder
 _K = static key for responder known to initiator
 _E = static key plus a semi-ephemeral key for responder known to initiator
 _X = static key for responder transmitted to initiator


I also made a few other cleanups, including allowing a preshared
symmetric key to initialize the session, because it's easy.


Trevor


More information about the Noise mailing list