[noise] New branch of Noise spec

Trevor Perrin trevp at trevp.net
Sun Aug 23 23:56:51 PDT 2015 

On Fri, Aug 21, 2015 at 4:33 PM, Trevor Perrin <trevp at trevp.net> wrote:
> Hi,
>
> I've been preparing a new branch of Noise, with most text rewritten
> and some substantive changes:
>
> https://github.com/trevp/noise/blob/noh/noise.md

I've got negative feedback offlist that this is too hard to follow and
too abstract, so I'm working on simplifying:

https://github.com/trevp/noise/blob/noh2/noise.md

But this is a work-in-progress for now.

Trevor


>
>
> Probably could use some text polishing, but I wanted to get this out
> for feedback, so please send some!
>
>
> Terminology changes:
>
>  * Instead of Box / Handshake distinction for one-shot or interactive
> handshakes, now there is a Handshake / Application message
> distinction, and within the Handshake a One-way vs Interactive
> distinction.
>
>  * The symmetric-key crypto is encapsulated into a "kernel" object.
> The main benefit is ease of presentation, but this might also make it
> clearer how to swap in new symmetric-key crypto like sponges.
>
> Main changes:
>
>  * Handshake hashing was a weird mix of hashing completed messages,
> plus using AAD to cover partial messages.  This meant repeatedly
> authenticating or hashing the same data.  Also, the hashes were left
> around for the lifetime of the session.  The new system only hashes
> relevant fields, once, and stops authenticating the hash after the
> handshake.
>
>  * A notion of "branching" has been added so you can specify how to
> branch between different versions, or ciphersuites, or handshake
> patterns.
>
>  * Prologue had an unclear purpose, so was removed.  If you want to
> send plaintext data during an early handshake message, just use the
> payload.  If you want to send a version or type indicator, use
> branching.
>
>  * The "conventions" I mentioned earlier have been added, including
> framing and padding fields.  Also, handshake messages use an extension
> system that allows one party to offer support for new things that will
> be ignored by older implementations.
>
>  * I've fleshed out a range of ways to send application messages,
> allowing for forward-secure key updating / ratcheting, and explicit
> nonces.
>
>  * Ciphersuites have been separated into "DH functions" and a
> symmetric-key "cipherset", since there was no reason to tie these
> together.
>
>
> Trevor

More information about the Noise mailing list