[noise] Hybrid Forward Secrecy, version 1draft-2

Trevor Perrin trevp at trevp.net
Mon Oct 3 02:03:17 PDT 2016

On Tue, Sep 27, 2016 at 6:15 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Tue, Sep 27, 2016 at 7:09 PM, Rhys Weatherley <rhys.weatherley at gmail.com>
> wrote:
>> I've been working on the implementation for Noise-C (not pushed yet due to
>> a bug in my test vector generator).
> The bug has been fixed.  I have pushed my first-pass Noise-C implementation
> of Hybrid Forward Secrecy.  Test vectors can be found here:
> https://raw.githubusercontent.com/rweather/noise-c/master/tests/vector/noise-c-hybrid.txt

Sweet!  Code is here, for those looking:


If we want to run something by Tor (which is one possible goal),
there's something else to think about.

Tor's current "Ntor" handshake is basically:

<- s
-> e
<- e, ee, es

Which is close to Noise_NK:

<- s
-> e, es
<- e, ee

But NK does the ephemeral-static DH immediately, so it can encrypt the
client's first payload.  Tor doesn't care about that, and defers the

We could just call that the "ntor" pattern.  But it might be nicer to
have a "defer" transformation that moves DHs later, so the above would
be "NKdefer".  With hybrid forward secrecy, something like:

  <- s
  -> e, f
  <- e, f, ee, ff, es

Straightforward here, but for more complicated patterns there might be
multiple ways we could defer DHs.  So that's something we should
puzzle through, at some point.


More information about the Noise mailing list