[noise] New branch of Noise spec

[Trevor Perrin]

Hi,

I've been preparing a new branch of Noise, with most text rewritten
and some substantive changes:

https://github.com/trevp/noise/blob/noh/noise.md


Probably could use some text polishing, but I wanted to get this out
for feedback, so please send some!


Terminology changes:

 * Instead of Box / Handshake distinction for one-shot or interactive
handshakes, now there is a Handshake / Application message
distinction, and within the Handshake a One-way vs Interactive
distinction.

 * The symmetric-key crypto is encapsulated into a "kernel" object.
The main benefit is ease of presentation, but this might also make it
clearer how to swap in new symmetric-key crypto like sponges.

Main changes:

 * Handshake hashing was a weird mix of hashing completed messages,
plus using AAD to cover partial messages.  This meant repeatedly
authenticating or hashing the same data.  Also, the hashes were left
around for the lifetime of the session.  The new system only hashes
relevant fields, once, and stops authenticating the hash after the
handshake.

 * A notion of "branching" has been added so you can specify how to
branch between different versions, or ciphersuites, or handshake
patterns.

 * Prologue had an unclear purpose, so was removed.  If you want to
send plaintext data during an early handshake message, just use the
payload.  If you want to send a version or type indicator, use
branching.

 * The "conventions" I mentioned earlier have been added, including
framing and padding fields.  Also, handshake messages use an extension
system that allows one party to offer support for new things that will
be ignored by older implementations.

 * I've fleshed out a range of ways to send application messages,
allowing for forward-secure key updating / ratcheting, and explicit
nonces.

 * Ciphersuites have been separated into "DH functions" and a
symmetric-key "cipherset", since there was no reason to tie these
together.


Trevor