[noise] NewHope-Simple

Trevor Perrin trevp at trevp.net
Sat Dec 24 00:13:54 PST 2016

On Sun, Dec 18, 2016 at 1:52 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> I have updated the New Hope extension to use this version of New Hope:
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_newhope.md
> I have also applied some of the previous review feedback to the HFS
> extension:
> https://github.com/rweather/noise_spec/blob/forward_secrecy/extensions/ext_hybrid_forward_secrecy.md

Cool, looks good.

NIST has made progress on their "Post-Quantum Crypto Project".  Their
terminology mostly matches ours:

They discuss "hybrid modes":


They also discuss "KEM schemes" for public-key encryption-like
algorithms which output a symmetric key (instead of encrypting an
arbitrary plaintext).  And they discuss "Ephemeral-Only
Key-Establishment" and "ephemeral key exchange", in the context of
KEMs.  So NewHope would presumably be an "ephemeral-only KEM" or


NIST claims that "in its most widely used applications, such as those
requiring forward secrecy, Diffie-Hellman can be replaced by any
secure KEM with an efficient key generation algorithm. The additional
features of Diffie-Hellman may be useful in some applications, but
there is no widely accepted security definition of which NIST is aware
that captures everything one might want from a Diffie-Hellman

I was planning to add definitions of NIKE and GapDH into the next
Noise draft to formalize what we mean by DH.  It's interesting that
NIST didn't want to take this route, not sure what that means.


More information about the Noise mailing list