[noise] Revision 20

Trevor Perrin trevp at trevp.net
Mon Feb 1 16:18:22 PST 2016

People weren't "getting" the spec, so I did a lot of rewriting and
restructuring, and added more info.  Would appreciate feedback:



 * Rewrote much of the Overview and early sections to be friendlier,
introduce concepts with more explanation and de-emphasize the
"object-oriented" pseudocode.

 * Separated PSK logic into a separate section (6).  I think it's
easier to explain on it's own, without complicating the rest of the

 * Added security properties sections (7.4, 7.5) to analyze the
handshakes.  Those were tricky, could use review.

No substantive changes to existing patterns, but a few things are close:

 * Pattern validity rules are clarified

 * Removed the _E patterns.  Semi-ephemeral keys are a lot to
introduce, because they have different lifetimes than the "normal"
ephemeral keys.  Also, you might want them signed, and we don't have
signatures yet.  So I left them out, for now.

 * Added a Noise_XR pattern corresponding to SIGMA-R, where the
initiator reveals their identity first.  In talking to people about
key agreements like SIGMA, I realized this was a gap in our coverage.

 * Added a notion of "null" public keys.  This just acknowledges that
with current DH functions, a zeros input produces zeros output.  This
is useful for using dummy public with patterns like Noise_XX, see 8.1.


More information about the Noise mailing list