[noise] Pattern notation, again

Trevor Perrin trevp at trevp.net
Mon Oct 3 01:17:36 PDT 2016


I'd like to finish the pattern notation discussion.  Here's what I suggest:

 (1) Replace "dhes" with "es" etc, where the first character indicates
the initiator keypair, second character indicates the responder
(instead of sender, then recipient, as current).

I tried this in a branch:

https://github.com/noiseprotocol/noise_spec/tree/notation
https://github.com/noiseprotocol/noise_spec/blob/notation/output/noise.pdf

 (2) For hybrid forward secrecy, use "f" and "ff".


Rationales:

 (1) Removing "dh" makes the notation more generic, for non-DH
algorithms (e.g. NewHope).  Using initiator/responder instead of
sender/receiver makes the patterns easier to read, since you can
always read "es" as responder auth, and "se" as initiator auth.  The
impact on pseudocode is small, basically just an "if
(role==initiator)" before deciding which DH to do.

 (2) I was previously arguing for "f" and "g", since the values might
be of different types and sizes (e.g. NewHope).  But then:
 - Depending on who sends first we'd have "fg" or "gf", and we'd also
have variables for (f, rf, g, rg).
 - This clutters the patterns with an extra letter (g).
 - Some algorithms might *NOT* have different types and sizes, eg.
using a 448 DH for hybrid forward secrecy.
 - Implementation feedback from Rhys was that "g" makes things more awkward.
 - using "ff" parallels "ee" more closely, so the "hfs" transformation
is easy to read, since it just pairs "e" and "ee" with "f" and "ff":

From:
  -> e
  <- e, ee, s, es

To:
  -> e, f
  <- e, f, ee, ff, s, es


Thoughts?

Trevor


More information about the Noise mailing list