[noise] What needs forward secrecy? (for Disco)

David Wong davidwong.crypto at gmail.com
Mon Nov 20 09:58:27 PST 2017

> I think new crypto algorithms need to provide the same security
> properties as existing crypto.

That's the reason why SHA-3 was so slow to begin with. If a security
is not needed I don't see why it should persist.

> Noise certainly considers the security properties of individual
> handshake messages to be important (e.g. tables in section 7.4 and
> 7.5).  It's totally plausible that an application could care about
> forward-secrecy of, say, 0-RTT data, when considering a compromise
> later in the handshake.

The Split() function introduces forward secrecy with the RATCHET()
function. Would this be enough for 0-RTT? It's certainly enough for
other scenarios.

> Luckily, this hashing is a small fraction of handshake time.

True. But I still don't see strong reasons to introduce it.


More information about the Noise mailing list