[noise] Hybrid Forward Secrecy, version 1draft-3

Rhys Weatherley rhys.weatherley at gmail.com
Sat Oct 8 16:07:08 PDT 2016

On Sun, Oct 9, 2016 at 6:55 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Fri, Oct 7, 2016 at 4:25 PM, Rhys Weatherley
> <rhys.weatherley at gmail.com> wrote:
> > I have updated the hfs and New Hope extensions.  The main changes are:
> >
> > - Use the token naming conventions from revision 31 of the Noise
> > specification.
> > - Replace the "f, g, fg" token set with "f, ff".
> >
> > https://github.com/rweather/noise_spec/blob/forward_
> secrecy/extensions/ext_hybrid_forward_secrecy.md
> > https://github.com/rweather/noise_spec/blob/forward_
> secrecy/extensions/ext_newhope.md
> Looks roughly right, definitely worth a close read and trial
> implementation.

I have updated both Noise-C and Noise-Java to include support for revision
31 and hybrid forward secrecy.  They can be used as a "reference
implementation" to help others to implement hfs.  Noise-Java is probably a
"purer" implementation of hfs - Noise-C needs some cleanups after all my
post-quantum experiments.  Test vectors for hfs can be found here:


>   Quick comments:
>  * It's not immediately obvious that "r" could be empty in
> GENERATE_KEYPAIR_F, until you read further.  Also - should it be "rf"?


>  * In ReadMessage(), formatting is off.

There were so many nested "if ... then ... else" clauses in there that I
was trying to split the "f empty" and "f not empty" cases for greater
clarity.  I'll think about how to reword it.

>  * Do we want to allow re-use of the "f" value?  I was leaning away
> from that, but not sure.

I downgraded it a little to 'reuse parts of "f"' rather than all of it to
potentially support New Hope's shared "a".

 * Are bullets 2 and 5 in "Pattern Validity" necessary?

Possibly not.  The strictness was due to following the pre-message order of
"e, f" in section 4.2.

>  * The "Future Directions" stuff needs more work, of course.

Yes.  Suggestions welcome for alternative text.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161009/858e98f3/attachment.html>

More information about the Noise mailing list