[noise] Revision 32 draft (march 30)
Rhys Weatherley
rhys.weatherley at gmail.com
Sat Apr 1 14:33:44 PDT 2017
On Fri, Mar 31, 2017 at 11:40 AM, Trevor Perrin <trevp at trevp.net> wrote:
> Made a pass on the Noise spec, and got in almost everything I think we
> want in next revision. No changes or incompatibilities, but some
> additions.
>
> Hopefully this doc can be frozen soon, as it's getting pretty stuffed.
> I'm thinking of starting an extensions doc to cover more complicated
> uses of Noise (hybrid forward secrecy, PSK and semiephemeral
> resumption, pattern transformations and combining them, etc.).
>
> https://github.com/noiseprotocol/noise_spec/blob/rev32/output/noise.pdf
> https://github.com/noiseprotocol/noise_spec/blob/rev32/noise.md
>
> Additions:
>
> * Limit of 255 bytes to protocol names
>
> * Rekey capability:
> - Encryption with MAXNONCE is used to rekey by default, though we
> allow definition of a more specialized rekey for ciphers like
> AESGCM-SIV where we'd rather use the cipher key directly with AES,
> instead of going through the whole key-derivation / SIV process.
> - Up to application if/when/how to use this.
> - Would still like to analyze more, but this is probably good [1].
>
Rekey() looks good. The only nitpick I have is with "returns a new 32-byte
>
> * Strict vs non-strict DH functions:
> - Allows a DH function to be defined with an error return (e.g.
> secp256k1 or other DH encodings that use compressed points and
> decompression).
> - Could also be used to define a 25519strict (or whatever you'd
> name it) that checks for zero output, if one really wanted that.
> - Would still like to think more about handling null public keys,
> right now this is a recommendation to define them, perhaps we leave it
> at that? [2].
>
> * Channel-bindings UNCHANGED:
> - I was thinking of doing HASH(h || label) or HMAC(h, label) to
> extract labelled channel-binding values. But on further thought, if a
> higher-level protocol is using the channel-binding plus its own keys
> so sloppily that the output can be transferred between different
> contexts (i.e. cross-protocol attacks) that's the protocol's problem,
> not ours, so better to keep this simple.
>
> * Pattern transformations and "noidh" removed. I think things like
> this should go in an "extensions" doc discussing transformations and
> extensions like:
> - "noidh" (identity-hiding)
> - "hfs" (hybrid forward-secrecy)
> - PSK and semi-ephemeral 0-RTT
> - maybe extensions for altering when the PSK is applied (an idea of
> Jason's)
> - extensions for adding/removing ss, or deferring DHs, etc.
>
> * "Fallback patterns" instead of "dependent" patterns:
> - The only case where initiator ephemerals are used as pre-messages
> is for fallback, so I overhauled the text to be more specific and I
> think clearer about this (see: Sections 8 and 9.1).
> - Section 9 rewritten to be clearer (hopefully?) about all this.
> - Roles don't change during fallback, so fallback patterns are
> written more nicely:
>
> Noise_XX(s, rs):
> -> e
> <- e, ee, s, es
> -> s, se
>
> Noise_XXfallback(e, s, rs):
> -> e
> ...
> <- e, ee, s, es
> -> s, se
>
> * Fixed the indistinguishable handshakes section, since it's not
> actually possible to use XX there.
>
> This is a slew of new text, so feedback appreciated!
>
> Trevor
>
> [1] https://moderncrypto.org/mail-archive/noise/2017/000944.html
> [2] [2] https://moderncrypto.org/mail-archive/noise/2017/000867.html
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170402/86722682/attachment.html>
More information about the Noise
mailing list