[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS

Jason A. Donenfeld Jason at zx2c4.com
Wed Nov 11 17:31:08 PST 2015


On Thu, Nov 12, 2015 at 12:34 AM, Tony Arcieri <bascule at gmail.com> wrote:
> 1) TLS is very much more DoSable than Noise (due to e.g. RSA signatures, and
> most people using RSA).

TLS isn't a very high bar...

> In practice you'll want layer 3/4 mechanisms to
> mitigate such a DoS.

I realize there are non cryptographic methods of avoiding DoS - token
buckets, blacklists, rate limiting - but I think a cryptographic
approach could be very useful too.


> 2) This does NOT provide post-quantum PFS. That would mean that if the PSK
> leaked, and someone built a large quantum computer, you'd still have PFS.
> This would not be the case with your construction.

Sorry, you're right. What I really meant is that if the PSK is
destroyed sometime in the next 25 years, but all my traffic is logged
indefinitely, when they finally build the quantum computer, they won't
be able to break the DH and decrypt the traffic from the past. This
isn't strictly "PFS"; you're right that for that, I'll need NTRU or
similar. But it is useful: a quantum computer _will_ be built, and the
DH function will be broken. With all the traffic logged, that means
the data will only be secure for not so many years. Whereas if there's
a PSK mixed in there somehow, a quantum computer won't be able to
decrypt all of my past logged traffic.


More information about the Noise mailing list