[noise] Spec revision 32

Trevor Perrin trevp at trevp.net
Wed May 17 11:22:56 PDT 2017


Revision 32 is published at:

http://noiseprotocol.org/noise.pdf
http://noiseprotocol.org/noise.html


COMPATIBILITY CHANGES
======================

 * PSK support was changed to allow PSKs to be added at different
points in the handshake.  This is incompatible with all previous PSK
handshakes, which are replaced with new ones, using a new naming
scheme.

 * Null public keys (all-zeros) are no longer supported, because some
implementations don't handle them as expected (see next section), and
they're not easy to adapt to other curves.


SUBSTANTIVE CHANGES
======================

 * A Rekey() function was added to CipherStates so that applications
can "rekey" their CipherStates whenever they wish.  Libraries are
encouraged to support this.

 * Implementations of X25519 and X448 are allowed to abort when
processing a small-order input (which gives an all-zeros output).
This is discouraged, but matches some implementations.

 * Pattern validity rules are changed to be simpler / more consistent:
 Only a single ephemeral from each party is allowed, and these
ephemerals don't have to be the first token of the first message.
This doesn't affect existing patterns, but might affect nonstandard
patterns.


CLARIFICATIONS
===============

Many things are clarified, including:
 * DH security requirements
 * Error-handling in handshakes
 * Handshake pattern validity
 * Handshake pattern naming and "modifiers"
 * Fallback handshakes
 * Dummy keys
 * More rationales, in particular HMAC/HKDF rationale
 * Acknowledgements

More info can be found on the mailing list, e.g.

https://moderncrypto.org/mail-archive/noise/2017/001006.html
https://moderncrypto.org/mail-archive/noise/2017/000903.html

Thanks to everyone who helped with discussion!

Trevor


More information about the Noise mailing list