[noise] Working toward Revision 29

Trevor Perrin trevp at trevp.net
Thu May 12 17:58:32 PDT 2016

I made a pass on the spec which I'd like to publish as Revision 29, in
a few days:



(1) Now disallows patterns that transmit an ephemeral or static public
key multiple times in a handshake (discussed on list - no one was
doing this and no good reason to want it, so we're tightening the

(2) Now requires pre-shared symmetric keys to be 256 bits.  Tightening
the rules makes testing and implementation simpler, and hopefully
deters people from using this with low-entropy passwords.

(3) Removed XR pattern as it's not that useful (discussed on list).

(4) The "Complex protocols" section was renamed to "Advanced uses":
 * New term "Compound protocols" for things like Noise Pipes that
combine multiple Noise protocols
 * New sections on "Channel binding", "Protocol indistinguishability",
and "Secondary symmetric keys" (instead of "extra symmetric keys"), to
discuss fun things you can do.

This doesn't affect existing libraries, unless you want to provide
APIs to access the handshake hash (for channel binding), or to allow a
"secondary symmetric key" (intended for post-quantum forward secrecy,

(5) Cleanups and clarifications:
 * Edited Application Responsibilities advice on choosing crypto functions
 * More Rationales for HKDF and handshake hashing
 * New Security Consideration for hash collisions
 * Generalize "authentication tags" terminology to also allow for
"synthetic IV" constructions
 * Added acknowledgements for discussions with BLAKE2 team
 * Bunch of cosmetic things

After this revision, I'd like to expand / flesh-out some more
patterns, including naming conventions for some of the patterns
discussed in 8.6, and better treatment of zero-RTT / semi-ephemerals,
for Revision 30.


More information about the Noise mailing list