[noise] Hybrid Forward Secrecy, version 1draft-2

Trevor Perrin trevp at trevp.net
Tue Sep 27 01:46:04 PDT 2016

On Sat, Sep 24, 2016 at 10:19 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> I have updated the extensions for hybrid forward secrecy and New Hope:
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_hybrid_forward_secrecy.md
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_newhope.md

Cool, quick feedback:

 * This currently mixes the "fg" notation with "dh??" notation, but
the "fg" notation would be more consistent with changing from "dhee??"
to "ee", "ss", "es", "se", so we need to think more about that.

 * If we change the existing notation so that "es" or "se" indicate
the initiator's value by the first character, then it may make sense
to allow "fg" and "gf" tokens that follow the same rule.

 * It's awkward to use f and rf for the state variables that match
both "f" and "g" tokens.  I would think there should be g and rg
variables, so that this is handled consistently with s and e.

 * You mention allowing reuse of the hybrid ephemeral values.  This
isn't covered by the pseudocode, which will generate a fresh value
every handshake.  That's simpler and perhaps safer, since
implementations don't have rotate keys via timer or other logic.  So
could we get by without ephemeral reuse, for now?

 * You mention the idea of pattern transformations that defer some
operations till later.  That's a good idea (e.g. see our previous XR
pattern), so at some point we'll need a better treatment of that.


More information about the Noise mailing list