[noise] Hybrid Forward Secrecy, version 1draft-3

Trevor Perrin trevp at trevp.net
Sat Oct 8 13:55:42 PDT 2016

On Fri, Oct 7, 2016 at 4:25 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> I have updated the hfs and New Hope extensions.  The main changes are:
> - Use the token naming conventions from revision 31 of the Noise
> specification.
> - Replace the "f, g, fg" token set with "f, ff".
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_hybrid_forward_secrecy.md
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_newhope.md

Looks roughly right, definitely worth a close read and trial
implementation.  Quick comments:

 * It's not immediately obvious that "r" could be empty in
GENERATE_KEYPAIR_F, until you read further.  Also - should it be "rf"?

 * In ReadMessage(), formatting is off.

 * Do we want to allow re-use of the "f" value?  I was leaning away
from that, but not sure.

 * Are bullets 2 and 5 in "Pattern Validity" necessary?

 * The "Future Directions" stuff needs more work, of course.

> In the same forked branch I have also created a machine-readable pattern
> dictionary for all of the patterns in the Noise specification and the hfs
> extension:
> https://github.com/rweather/noise_spec/tree/forward_secrecy/patterns
> I'm working on some Python scripts to process this format, for help in
> analysing patterns

Cool, look forward to that, if we could automatically double-check the
security properties, that would be a big step forward.


More information about the Noise mailing list