[noise] Hybrid Forward Secrecy, version 1draft-3
Rhys Weatherley
rhys.weatherley at gmail.com
Sat Oct 8 16:07:08 PDT 2016
On Sun, Oct 9, 2016 at 6:55 AM, Trevor Perrin <trevp at trevp.net> wrote:
> On Fri, Oct 7, 2016 at 4:25 PM, Rhys Weatherley
> <rhys.weatherley at gmail.com> wrote:
> > I have updated the hfs and New Hope extensions. The main changes are:
> >
> > - Use the token naming conventions from revision 31 of the Noise
> > specification.
> > - Replace the "f, g, fg" token set with "f, ff".
> >
> > https://github.com/rweather/noise_spec/blob/forward_
> secrecy/extensions/ext_hybrid_forward_secrecy.md
> > https://github.com/rweather/noise_spec/blob/forward_
> secrecy/extensions/ext_newhope.md
>
> Looks roughly right, definitely worth a close read and trial
> implementation.
I have updated both Noise-C and Noise-Java to include support for revision
31 and hybrid forward secrecy. They can be used as a "reference
implementation" to help others to implement hfs. Noise-Java is probably a
"purer" implementation of hfs - Noise-C needs some cleanups after all my
post-quantum experiments. Test vectors for hfs can be found here:
https://raw.githubusercontent.com/rweather/noise-c/master/tests/vector/noise-c-hybrid.txt
> Quick comments:
>
> * It's not immediately obvious that "r" could be empty in
> GENERATE_KEYPAIR_F, until you read further. Also - should it be "rf"?
>
Fixed.
>
> * In ReadMessage(), formatting is off.
>
There were so many nested "if ... then ... else" clauses in there that I
was trying to split the "f empty" and "f not empty" cases for greater
clarity. I'll think about how to reword it.
>
> * Do we want to allow re-use of the "f" value? I was leaning away
> from that, but not sure.
>
I downgraded it a little to 'reuse parts of "f"' rather than all of it to
potentially support New Hope's shared "a".
* Are bullets 2 and 5 in "Pattern Validity" necessary?
>
Possibly not. The strictness was due to following the pre-message order of
"e, f" in section 4.2.
>
> * The "Future Directions" stuff needs more work, of course.
>
Yes. Suggestions welcome for alternative text.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161009/858e98f3/attachment.html>
More information about the Noise
mailing list