[noise] SAS (was: Explicit nonces (for lossy transports)

Trevor Perrin trevp at trevp.net
Tue Jul 11 18:13:04 PDT 2017

On Tue, Jul 11, 2017 at 10:09 PM, Trevor Perrin <trevp at trevp.net> wrote:
> Even aside from UDP, ZRTP has clever mechanisms (including
> self-healing key-continuity, and the Short-Auth-Strings).  It would be
> fun to try to reconstruct those in Noise.
> The SAS in particular would require some notion of "committing" to a
> DH value before revealing it, but it's possible that could be woven
> into the pattern language in some way

Thinking about this more:

Short Auth Strings are useful for things like "pairing" two devices by
checking that they display the same short code, or maybe even for
voice authentication between two parties, where their phones display a
short string which they verbally compare.

It might not be hard to support an "sas" modifier using "commit" and
"reveal" tokens:
 - "commit" - generates an "SAS" keypair and sends a cleartext hash of
the SAS public key
 - "reveal" - sends the "SAS" public key under encryption, then calls
MixKey(DH(SAS, ephemeral))

Then the Short-Auth-String is HASH(SAS_pubkey || ephemeral_pubkey)
truncated to desired length.

Example of "sas" modifier applied to XX and NN:

-> e
<- e, ee, s, es
-> s, se

-> e, commit
<- e, ee, s, es
-> s, se, reveal

-> e
<- e, ee

-> e, commit
<- e, ee
-> reveal


More information about the Noise mailing list