[noise] Noise & MEM-AEAD

Jason A. Donenfeld Jason at zx2c4.com
Mon Jan 30 09:59:11 PST 2017

Hey Trevor & folks,

Anyone here interested in a Noise suite involving MEM-AEAD?


MEM-AEAD uses the Blake2b permutation, and OPP mode is 0.55
cycles/byte, using only 1 pass, which is pretty much the fastest AEAD
that doesn't involve AES-NI. In Noise, this would reduce code size,
since the Blake2b internals can be reused, resulting pretty much in
just a Blake2b+ECDH based protocol. Most of all, the paper has
security proofs for the construction.

There's a C and a Rust implementation here:

And one of the authors (CC'd) has a recorded presentation from Eurocrypt:

Is anybody on this list (or Trevor?) interested in this? I plan to do
an experimental branch of WireGuard for testing this out.


More information about the Noise mailing list