[noise] Explicit nonces (for lossy transports)
trevp at trevp.net
Thu Jun 15 11:15:27 PDT 2017
On Thu, Jun 15, 2017 at 7:42 AM, Jake McGinty <me at jake.su> wrote:
> Thanks so much for laying out the challenges. This summary of the
> considerations is
> gold, and yeah I agree.
> It sounds like a lot of what I was describing belongs in a “Noise Pipes
> project which could have a opinionated level 4 protocol to make it easy to
> WebRTC-esque protocols using Noise.
Yeah, I think we're all agreed that mechanisms for lost / out-of-order
messages don't belong in the Noise crypto spec but in a layer above it
(like WireGuard, or like the "Simple 0-RTT Protocol" Alexey and I are
I also agree that the crypto spec could have better language about
out-order nonces during transport encryption.
Another consideration for nonces: It's possible at some point we'll
consider Noise modifications that replace the entire SymmetricState
(e.g. with sponge-based crypto), instead of just the cipher and hash
functions. That might also require different language around nonces.
However, I don't think there's a pressing need to generalize the
spec's language about nonces (i.e. it's not holding anyone up). So it
might be best to just keep this in mind while we continue discussing
these issues, in the hope it gets more clear later.
Specifically about "Noise Pipes UDP" - I think the question Jason
raises is whether use cases and requirements are clear enough to
design for? And are there "customers" that would use this? I
mentioned WebRTC without much thought - I don't know much about it, so
don't give that much weight.
You could look at applications that use DTLS, but I don't know how
successful that's been, or how valuable it is as a model?
More information about the Noise