[noise] Pattern validity questions

Alex alex at centromere.net
Sun May 14 12:31:35 PDT 2017

In section 7.1 of rev32b, item 2 states:

> Parties must not send their static public key, or an ephemeral public
> key, more than once per handshake (i.e. including the pre-messages,
> there must be no more than one occurrence of "e", and one occurrence
> of "s", in the messages sent by any party).

The language says, "no more than one", which indicates to me that it's
valid to have a pattern with zero e tokens. Wouldn't this lead to
catastrophic key re-use? Should the language be modified to indicate
that the `e` token must appear "exactly once"?

And item 3 states:

> After performing a DH between a remote public key and any local
> private key that is not an ephemeral private key, the local party must
> not send any encrypted data unless they have also performed a DH
> between an ephemeral private key and the remote public key.

What is meant by "must not send any encrypted data"? Is information
contained in the payload of a Noise message considered encrypted data,
or does "encrypted data" refer to information encrypted with keys
derived from Split()?

"and the remote public key." -- any remote public key? Would it be
better if this said, "and a remote public key"?

Is the following an example of a pattern which specifically violates
rule 3?:

Noise_invalid(s, rs):
  <- s
  -> e, es, s, ss
  <- e


More information about the Noise mailing list