[noise] Semi-static vs semi-ephemeral (was Re: Rev30 branch)
Trevor Perrin
trevp at trevp.net
Sat Jul 2 01:03:46 PDT 2016
On Fri, Jul 1, 2016 at 11:23 PM, Trevor Perrin <trevp at trevp.net> wrote:
> "Semi-static keys for Noise Pipes" (9.4):
Hmm, this needs more thought. I liked the idea of not creating new
handshake patterns for semi-ephemeral aka semi-static handshakes.
But it's not working out that elegantly, since we still want to bind the
original static in the resumed handshake to avoid identity misbinding (a
malicious responder provides a semi-static public key from some unrelated
service). So we're stuffing the original static in the prologue, which is
ugly and not a guaranteed fix, because the unrelated service might not have
the same semantics for its prologue.
An alternative would be to define semi-ephemeral patterns as
"transformations" from the non-semi-ephemeral versions. That makes the
relationship with the original pattern clear, and more clearly expresses
the binding to the original static.
That would look something like this (original patterns on left, transformed
semi-ephemeral ones on right):
Noise_NK(rs): Noise_NKsemi(rs, re):
<- s <- e, s
... ...
-> e, dhes -> e, dhee
<- e, dhee <- e, dhee
Noise_XK(s, rs): Noise_XKsemi(s, rs, re):
<- s <- e, s
... ...
-> e, dhes -> e, dhee
<- e, dhee <- e, dhee
-> s, dhse -> s, dhse
Noise_IK(s, rs): Noise_IKsemi(s, rs, re):
<- s <- e, s
... ...
-> e, dhes, s, dhss -> e, dhee, s, dhse
<- e, dhee, dhes <- e, dhee, dhes
Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160702/3466ce74/attachment.html>
More information about the Noise
mailing list