[noise] Noise meeting notes

[Trevor Perrin]

Hi folks,

Quick recap of the Noise meetup at RWC:

It was a pleasant little meeting!  We had 20-ish people, and everyone
had some interesting thoughts or projects around Noise.  We mainly
went around and had people introduce themselves and say what they'd
"like to see" and "like to work on" in near future.

---

My "like to work on" was NoiseSocket and high-level APIs / protocol
layers to ease adoption; also post-quantum KEMs and hybrid
forward-secrecy.

My rationale for NoiseSocket etc is that Noise is still too low-level
and complicated for most engineers to make use of.  For the latter, I
think hybrid post-quantum security is a good idea, and stretches us in
useful ways (multiple key types per handshake; KEMs instead of DH; new
pattern modifiers; and XOFs for supplying the KEM algorithm).

My "like to see" was code-generators and proof-generators.  In other
words, tools that could be given a Noise protocol name and would
output efficient code and a machine-checkable proof that the protocol
(and even the code!) are secure.

The rationale for code-generators is that to convince people that
Noise protocols are simple, I think we need to show them simple code.
Our current libraries are great, but the "pattern interpreter" style
of implementation is opaque and confusing to people.  (I think this is
a particular need for embedded systems; that should be a great
use-case for us, but they don't realize it yet).

For proof-generators: We want lots of protocols, no-one will write
pen-and-paper proofs for all of them, so we'll need automation.  Of
course, this is an enormous research project (or several)...

---

I won't summarize everyone's thoughts: my notes are sketchy, and I'll
leave it to people to announce their own projects.  But some
highlights:

 * There's a surge of interest in WireGuard and Noise from
provable-security and protocol-analysis researchers.  At the moment
there appear to be several research groups working on WireGuard or
Noise analyses, or considering it.  I think we can expect a lot of
progress on this front, this year.

(Some promising initial results, focused on WireGuard / IKpsk2, are
the machine-checked symbolic proof at [1], and the computational proof
for a slightly-modified protocol at [2]; I'm hoping [2] can be adapted
to the unmodified protocol, but that needs more thought).

 * A number of people were interested in lossy / out-of-order
transport layers (like UDP), and the challenges they pose to Noise
handshake and transport phases.  WireGuard has already faced this, and
other projects are looking at it, so I think there was some question
whether there was shared projects / code / specifications that could
be developed to help with this.  I think the interested parties were
going to follow-up with each other.

 * There was a use case for a fully
"indistinguishable-from-random-bytes" protocol, which would drive us
to figure out Elligator for ephemeral public keys, and tackle issues
around padding / trial-decryption for handshake messages.

 * In the spirit of high-level and simpler protocol layers / APIs,
some people were wondering about simple certificate formats for use
with Noise.

 * Noise will be used as a teaching framework in a University-level
crypto course.

 * Piotr points out the Noise-C library is in need of a maintainer
(and is making some efforts to find us one?)


Anyways, I thought it was a great and fun little meeting, I learned a
lot about activities I didn't know were going on.  I'd definitely like
to do some sort of meetup again around next year's RWC (January,
probably San Jose / Palo Alto area), so pencil that in...


Trevor


[1] https://www.wireguard.com/papers/wireguard-formal-verification.pdf
[2] https://eprint.iacr.org/2018/080