[noise] Extra Symmetric Key

Jason A. Donenfeld Jason at zx2c4.com
Thu May 12 12:36:57 PDT 2016

Hi Trevor,

Cool, that seems like a useful extension -- simultaneous key exchanges
happening via the transport data field of the handshake messages. Of
course, in exchanges where 's' is transmitted, there's then no PQ
identity hiding, but for if that's a concern the ordinary PSK could be


On Thu, May 12, 2016 at 9:09 PM, Trevor Perrin <trevp at trevp.net> wrote:
> On Thu, May 12, 2016 at 12:03 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Hi Trevor,
>> Why not instead just relegate this usage to the existing PSK? That way
>> the handshake messages themselves will too be protected.
> Then the "extra" exchange would have to be performed prior to the
> Noise protocol.  If you wanted to do that, you could certainly use the
> PSK mechanism.
> But with this design, the extra exchange is overlaid on the Noise
> protocol, so no round trips are added.  For example, the Ring-LWE
> scheme in the Tor proposal requires the two parties to each send one
> message, and uses "Ntor", which is basically:
> -> e
> <- e, dhee, dhse
> So you'd like the client to send its first Ring-LWE message in the
> first Noise payload, and have the server send its Ring-LWE message in
> the response payload.
> Trevor

More information about the Noise mailing list