[noise] Rev30 branch

Rhys Weatherley rhys.weatherley at gmail.com
Sat Jul 2 16:25:39 PDT 2016

On Sat, Jul 2, 2016 at 4:23 PM, Trevor Perrin <trevp at trevp.net> wrote:

> I expanded the discussion on "Variant patterns for Noise Pipes" (9.3)
> and "Semi-static keys for Noise Pipes" (9.4):
> https://github.com/noiseprotocol/noise_spec/compare/master...rev30
> https://github.com/noiseprotocol/noise_spec/blob/rev30/noise.md
> https://github.com/noiseprotocol/noise_spec/blob/rev30/output/noise.pdf

A question:

"If any negotiation occurred in the first handshake, the first handshake's
`h` variable should be provided as prologue to the second handshake."

What means "any negotiation"?  My test vectors for Noise Pipes have assumed
that the original prologue and PSK are passed to the fallback handshake
as-is unless the application takes specific steps between fallback() and
the new start() to override them.

The IK packet will fail on the "dhes" token in the responder.  By that
time, the "h" value will already have been set to something by the previous
"e" token.  Is that "h" the value that should be passed to XXfallback as
the prologue?

Or should "h" only be passed on if a previous messages were successful, and
the failure has occurred on the 2nd or 3rd message in the handshake?  And
which "h"?  The one at the end of the previous successful message, or the
one at the failure point in the new message?

I think this needs to be clarified.

 * Some clarification on combining PSK with Noise Pipes, but no-one
> was doing this, so it also shouldn't affect anything.

Well, my noise-c-fallback.txt test vectors were, so they'll need to change.
:-)  And if fallback prologues are now all based on "h", then the non-PSK
vectors will change too.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160703/122f74b9/attachment.html>

More information about the Noise mailing list