[noise] Spec revision 32
trevp at trevp.net
Wed May 17 11:22:56 PDT 2017
Revision 32 is published at:
* PSK support was changed to allow PSKs to be added at different
points in the handshake. This is incompatible with all previous PSK
handshakes, which are replaced with new ones, using a new naming
* Null public keys (all-zeros) are no longer supported, because some
implementations don't handle them as expected (see next section), and
they're not easy to adapt to other curves.
* A Rekey() function was added to CipherStates so that applications
can "rekey" their CipherStates whenever they wish. Libraries are
encouraged to support this.
* Implementations of X25519 and X448 are allowed to abort when
processing a small-order input (which gives an all-zeros output).
This is discouraged, but matches some implementations.
* Pattern validity rules are changed to be simpler / more consistent:
Only a single ephemeral from each party is allowed, and these
ephemerals don't have to be the first token of the first message.
This doesn't affect existing patterns, but might affect nonstandard
Many things are clarified, including:
* DH security requirements
* Error-handling in handshakes
* Handshake pattern validity
* Handshake pattern naming and "modifiers"
* Fallback handshakes
* Dummy keys
* More rationales, in particular HMAC/HKDF rationale
More info can be found on the mailing list, e.g.
Thanks to everyone who helped with discussion!
More information about the Noise