[noise] New draft: more protocols and pre-shared keys

[Stephen Touset]

Thanks for all the hard work, Trevor. I’ll work on a Rust implementation of the latest protocol definition in the very near future.

> On Jul 5, 2015, at 11:55 AM, Trevor Perrin <trevp at trevp.net> wrote:
> 
> https://github.com/trevp/noise/blob/master/noise.md
> 
> Previously the "0-RTT" handshake protocols doubled the 3x3 matrix of
> protocols, resulting in 18.
> 
> But on further thought, the idea of the initiator having pre-knowledge
> of the responder's ephemeral only makes sense when the initiator also
> has pre-knowledge of the responder's static key.  So I removed the
> protocols where this isn't the case.
> 
> The previous set of protocols all provided maximum identity-hiding for
> the initiator, but I think there are cases where it's worth
> surrendering some identity-protection for fewer rounds and
> authentication of the first message, e.g.:
> 
> https://moderncrypto.org/mail-archive/noise/2015/000162.html
> 
> Taking all this into account, the handshake protocols expand to a 4x4
> matrix, denoted by two characters:
> 
> N_ = no static key for initiator
> K_ = static key for initiator known to responder
> X_ = static key for initiator transmitted to responder
> I_ = static key for initiator immediately transmitted to responder
> 
> _N = no static key for responder
> _K = static key for responder known to initiator
> _E = static key plus a semi-ephemeral key for responder known to initiator
> _X = static key for responder transmitted to initiator
> 
> 
> I also made a few other cleanups, including allowing a preshared
> symmetric key to initialize the session, because it's easy.
> 
> 
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

-- 
Stephen Touset
stephen at squareup.com