[noise] Negotiation and 0-RTT

Trevor Perrin trevp at trevp.net
Fri Jul 7 00:11:49 PDT 2017

On Fri, Jul 7, 2017 at 2:44 AM, Alexey Ermishkin <scratch.net at gmail.com> wrote:
> Exactly what I was going to suggest!
> This looks simpler [...]

I agree this seems simpler.  Let's consider this the front-runner.

There's one point to consider about hashing:

Previously we assumed the initial protocol's "handshake hash" would be
used in the fallback prologue.  An alternative would be to include the
raw handshake transcript as fallback prologue.

The advantage of using the initial handshake hash is that the client
can hash it immediately and just store the hash, instead of having to
buffer the initial message so that it can be hashed after the server
chooses a hash function.

The advantages of hashing the transcript:
 * Uses the negotiated hash algorithm.  The initial protocol might've
used a weaker hash algorithm, whereas the "fallback" protocol uses the
server's preferred algorithm.
 * The server isn't required to recognize the client_version before
attempting a fallback.  Not sure how useful that is, because the
server probably needs to recognize it anyways to get the ephemeral
from the initial message, but maybe this is more flexible.

So the prologue for the 2 cases (client_version == server_version, and
client_version != server_version) could be:

"NoiseLinkInit" || client_version...negotiation_data

"NoiseLinkReinit" || client_version...server_version

This seems like perhaps the better trade-off.

Are there other details to lock down for negotiation?  If not, we can
return to the Simple 1-RTT thread (or start a new one) and try to
finalize the details on padding, API, name, and anything else.


More information about the Noise mailing list