[noise] Revision 6: MixHash() of ephemeral public keys

Trevor Perrin trevp at trevp.net
Mon Sep 21 20:02:01 PDT 2015


This is late, but I'm making a substantive change to hashing:  calling
MixHash() on ephemeral public keys, as well as static public keys.



Rationale:

I was thinking about a future Noise version that supported signatures.

I think you'd just need something like a "sige" or "sigs" token to
sign with your ephemeral or static key pair, but you'd like the
signature to cover all previous messages.  The previous "h" value
wouldn't suffice, but the new "h" value would.

As a nice side effect, this makes channel-binding more obvious: if you
want to layer some client-auth thing like ChannelID over a Noise
session, and send a signature that couldn't be relayed to some other
session, you just need to bind the h value, without worrying whether
this value could somehow get replayed over other sessions with the
same party.

This is generally more conservative, avoids people asking or worrying
about why we're not hashing ephemerals (whereas other protocols, like
TLS, do), and the impact on efficiency is small.

https://github.com/trevp/noise/blob/master/noise.md


Trevor


More information about the Noise mailing list