[noise] Pattern validity questions

Trevor Perrin trevp at trevp.net
Sun May 14 12:52:48 PDT 2017

On Sun, May 14, 2017 at 7:31 PM, Alex <alex at centromere.net> wrote:
> In section 7.1 of rev32b, item 2 states:
>> Parties must not send their static public key, or an ephemeral public
>> key, more than once per handshake (i.e. including the pre-messages,
>> there must be no more than one occurrence of "e", and one occurrence
>> of "s", in the messages sent by any party).
> The language says, "no more than one", which indicates to me that it's
> valid to have a pattern with zero e tokens. Wouldn't this lead to
> catastrophic key re-use?

No, key reuse is prevented by 7.1 bullet 3 (for DH) and 9.3 (for PSK).

Currently the spec allows handshake patterns which don't use any DH
outputs or PSKs, for example the empty pattern, or patterns like:

 -> e
 <- e

Where public keys are transmitted but never used.

We could add another validity rule to explicitly disallow this.
However it's pretty obvious that if you don't use keys you won't get
security.  So that doesn't seem like an important observation, and I
think I'd be mildly opposed to adding it.

> Should the language be modified to indicate
> that the `e` token must appear "exactly once"?

I think the existing rules are sufficient.

> And item 3 states:
>> After performing a DH between a remote public key and any local
>> private key that is not an ephemeral private key, the local party must
>> not send any encrypted data unless they have also performed a DH
>> between an ephemeral private key and the remote public key.
> What is meant by "must not send any encrypted data"? Is information
> contained in the payload of a Noise message considered encrypted data,
> or does "encrypted data" refer to information encrypted with keys
> derived from Split()?

What is meant is any data encrypted via ENCRYPT().  I'll think about
how to be more explicit there.

> "and the remote public key." -- any remote public key? Would it be
> better if this said, "and a remote public key"?

I don't think so, it's referring to the remote public key that was
mentioned at the beginning of the sentence.

> Is the following an example of a pattern which specifically violates
> rule 3?:
> Noise_invalid(s, rs):
>   <- s
>   ...
>   -> e, es, s, ss
>   <- e

Yes, it's missing se and ee in the second message, per bullet 3.


More information about the Noise mailing list