[noise] Semi-static vs semi-ephemeral (was Re: Rev30 branch)

Trevor Perrin trevp at trevp.net
Sat Jul 2 01:03:46 PDT 2016

On Fri, Jul 1, 2016 at 11:23 PM, Trevor Perrin <trevp at trevp.net> wrote:
> "Semi-static keys for Noise Pipes" (9.4):

Hmm, this needs more thought.  I liked the idea of not creating new
handshake patterns for semi-ephemeral aka semi-static handshakes.

But it's not working out that elegantly, since we still want to bind the
original static in the resumed handshake to avoid identity misbinding (a
malicious responder provides a semi-static public key from some unrelated
service).  So we're stuffing the original static in the prologue, which is
ugly and not a guaranteed fix, because the unrelated service might not have
the same semantics for its prologue.

An alternative would be to define semi-ephemeral patterns as
"transformations" from the non-semi-ephemeral versions.  That makes the
relationship with the original pattern clear, and more clearly expresses
the binding to the original static.

That would look something like this (original patterns on left, transformed
semi-ephemeral ones on right):

Noise_NK(rs):            Noise_NKsemi(rs, re):
  <- s                     <- e, s
  ...                      ...
  -> e, dhes               -> e, dhee
  <- e, dhee               <- e, dhee

Noise_XK(s, rs):         Noise_XKsemi(s, rs, re):
  <- s                     <- e, s
  ...                      ...
  -> e, dhes               -> e, dhee
  <- e, dhee               <- e, dhee
  -> s, dhse               -> s, dhse

Noise_IK(s, rs):         Noise_IKsemi(s, rs, re):
  <- s                     <- e, s
  ...                      ...
  -> e, dhes, s, dhss      -> e, dhee, s, dhse
  <- e, dhee, dhes         <- e, dhee, dhes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160702/3466ce74/attachment.html>

More information about the Noise mailing list