[noise] Semi-ephemeral patterns

Trevor Perrin trevp at trevp.net
Mon May 23 10:48:53 PDT 2016

On Sat, May 14, 2016 at 10:50 AM, Trevor Perrin <trevp at trevp.net> wrote:
> But semi-ephemerals are potentially useful for zero-RTT encryption,
> since some servers might be able to change their semi-ephemeral key
> more frequently than their static key.
> The older _E patterns were (arguably) too complicated.
> If we skip re-authenticating the server static we get simpler _E
> patterns that are very similar to the _K patterns:
> Noise_IK(s, rs):      Noise_IE(s, rs, re):
>   <- s                  <- s, e
>   ...                   ...
>   -> e, dhes, s, dhss   -> e, dhee, s, dhse
>   <- e, dhee, dhes      <- e, dhee, dhes

An alternative to adding "semi-ephemeral" patterns is to allow Noise
Pipes to use a semi-ephemeral (aka semi-static) public key as the
"static" key for the IK resumption, even if it's different than the
static key for the XX initial handshake.

Example:  After an XX or IK handshake, the server can provide a new
semi-static public key.  The client will use that for future IK
handshakes, while including the original static public key as
prologue.  When the server replaces the semi-static key, a fallback
handshake occurs, which can deliver a new semi-static public key.

I'm leaning towards this, since it avoids adding a bunch of new patterns.


More information about the Noise mailing list