[noise] Extra Symmetric Key

Trevor Perrin trevp at trevp.net
Sat May 14 10:30:10 PDT 2016

On Sat, May 14, 2016 at 9:29 AM, Alex <alex at centromere.net> wrote:
> What if your chosen PQ handshake requires more round-trips than your
> chosen Noise handshake provides?

Assuming that you're just doing PQ for forward secrecy, not
authentication, the PQ handshake is probably not more complicated
  Alice sends PQ "public key"
  Bob sends something to PQ public key
  They derive the extra key

So I don't think that should happen with typical interactive Noise
handshakes (which are at least one round-trip, more if the initiator
wants identity hiding).

This wouldn't have the ability to use the PQ extra key for identity
hiding, which Jason points out is a downside of this simple approach.
But in the Tor case there is no client identity, so it doesn't matter.

(In the future we could consider modifications to the pattern language
that allowed more complicated weaving of the secondary and primary
handshake together, so that the secondary key can be used to protect
identity-hiding and early encrypted data as well.)


More information about the Noise mailing list