[noise] Revision 13: rename "S" to "K"

Jason A. Donenfeld Jason at zx2c4.com
Mon Oct 19 10:53:45 PDT 2015 

Hi Trevor,

Thanks for all these great revisions recently. It looks like things
are starting to solidify, and it all looks great. A few questions
about recent polishes:

How normative is the handshake name section? Do you want to mandate precisely:
Noise_[HANDSHAKE INITIALS]_[CURVE NUMBER]_[CIPHERNAME]_[HASHNAME]
Or is it more free form? At the moment I'm using something a bit more
freeform that's exactly 64 bytes, but I could standardize on this if
you think that would be a good thing: "Noise_IK-v0 WireGuard zx2c4
Curve25519 ChaCha20 Poly1305 Blake2b". I guess using your scheme, what
would fit me would be "Noise_IK_25519_ChaChaPoly_BLAKE2b", which is 33
characters. Some folks might wind up using
"Noise_IK_25519_ChaChaPoly_BLAKE2s", in which case, it might be nice
to permit calling this "NoiseIK_25519_ChaChaPoly_BLAKE2b" so that it's
nicely tucked away in 32 bytes. Or, if it doesn't matter that much,
I'll continue along using my free form identifier, replacing v0 with
v1 once you finalize the spec.

Also on the topic of naming -- what would you think of renaming `h` to
"session hash" and `ck` to "key derivation hash", to emphasize that
these values are the inputs and outputs of hash functions, not cipher
functions, which take "key"s. This is purely cosmetic, but maybe it
interests you. It struck me as something decent to do upon seeing the
changes rev12.

Regarding Curve448 -- who would need to use a curve like this?
Curve25519 is 126bits, which I thought was considered unfeasible to
bruteforce, and DJB wrote back in 2006, "Breaking the Curve25519
function—for example, computing the shared secret from the two public
keys—is conjectured to be extremely difficult. Every known attack is
more expensive than performing a brute-force search on a typical
128-bit secret-key cipher." I don't know whether or not this claim
still holds in 2015, though. Do folks have doubts about 25519? And if
so, does anybody know of a simple and minimal implementation of DH on
448 (not signatures) that's as pleasant to use as curve25519-donna? I
guess I should ask this over on [curves]

By the way, I'm now mirroring noise here:
   http://git.zx2c4.com/noise/about/
   http://git.zx2c4.com/noise/
   git://git.zx2c4.com/noise
In case that's useful to anybody. I happen to like my rendering of the
markdown more than githubs.

Jason

More information about the Noise mailing list