[noise] New draft: more protocols and pre-shared keys

Trevor Perrin trevp at trevp.net
Mon Jul 6 12:58:53 PDT 2015


On Mon, Jul 6, 2015 at 12:05 PM, Stephen Touset <stephen at squareup.com> wrote:
> Thanks for all the hard work, Trevor. I’ll work on a Rust implementation of the latest protocol definition in the very near future.

That would be great!

I expect we'll break compatibility a few more times as we iron out
kinks.  But trial implementations is one of the best ways to locate
problems.

So for anyone who can tolerate a few rounds of updates and some
messiness while we stabilize, trying to implement would be a huge
help.


Trevor


>
>> On Jul 5, 2015, at 11:55 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> https://github.com/trevp/noise/blob/master/noise.md
>>
>> Previously the "0-RTT" handshake protocols doubled the 3x3 matrix of
>> protocols, resulting in 18.
>>
>> But on further thought, the idea of the initiator having pre-knowledge
>> of the responder's ephemeral only makes sense when the initiator also
>> has pre-knowledge of the responder's static key.  So I removed the
>> protocols where this isn't the case.
>>
>> The previous set of protocols all provided maximum identity-hiding for
>> the initiator, but I think there are cases where it's worth
>> surrendering some identity-protection for fewer rounds and
>> authentication of the first message, e.g.:
>>
>> https://moderncrypto.org/mail-archive/noise/2015/000162.html
>>
>> Taking all this into account, the handshake protocols expand to a 4x4
>> matrix, denoted by two characters:
>>
>> N_ = no static key for initiator
>> K_ = static key for initiator known to responder
>> X_ = static key for initiator transmitted to responder
>> I_ = static key for initiator immediately transmitted to responder
>>
>> _N = no static key for responder
>> _K = static key for responder known to initiator
>> _E = static key plus a semi-ephemeral key for responder known to initiator
>> _X = static key for responder transmitted to initiator
>>
>>
>> I also made a few other cleanups, including allowing a preshared
>> symmetric key to initialize the session, because it's easy.
>>
>>
>> Trevor
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise
>
> --
> Stephen Touset
> stephen at squareup.com
>
>
>


More information about the Noise mailing list