[noise] Semi-ephemeral patterns
Trevor Perrin
trevp at trevp.net
Mon May 23 10:48:53 PDT 2016
On Sat, May 14, 2016 at 10:50 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> But semi-ephemerals are potentially useful for zero-RTT encryption,
> since some servers might be able to change their semi-ephemeral key
> more frequently than their static key.
[...]
> The older _E patterns were (arguably) too complicated.
[...]
> If we skip re-authenticating the server static we get simpler _E
> patterns that are very similar to the _K patterns:
[...]
> Noise_IK(s, rs): Noise_IE(s, rs, re):
> <- s <- s, e
> ... ...
> -> e, dhes, s, dhss -> e, dhee, s, dhse
> <- e, dhee, dhes <- e, dhee, dhes
An alternative to adding "semi-ephemeral" patterns is to allow Noise
Pipes to use a semi-ephemeral (aka semi-static) public key as the
"static" key for the IK resumption, even if it's different than the
static key for the XX initial handshake.
Example: After an XX or IK handshake, the server can provide a new
semi-static public key. The client will use that for future IK
handshakes, while including the original static public key as
prologue. When the server replaces the semi-static key, a fallback
handshake occurs, which can deliver a new semi-static public key.
I'm leaning towards this, since it avoids adding a bunch of new patterns.
Trevor
More information about the Noise
mailing list