[noise] non replayable XK/KK?

[Trevor Perrin]

On Sun, Jan 28, 2018 at 9:23 PM, Justin Cormack
<justin at specialbusservice.com> wrote:
> Or maybe the only deferral that is useful, at least for this security property,
> is just that the initiator only sends e initially, followed by the
> responder sending
> e, ee. That is the only sequence that gives the no information on replay
> property I think. That gives a reasonable set of defered patterns.


That makes sense, and scopes this to something manageable.

Since the "defer" modifier really only applies to the four ?K
patterns, another option is to consider these as different base
patterns, e.g.

  ?K = recipient key Known, and used immediately for 0-RTT encryption
  ?D = recipient key known, but encryption Deferred (no 0-RTT)

Below would be the ?D patterns I think, shown next to the relevant ?K
pattern.  This is pretty straightforward, except we lose the "ss" for
KD and ID, since it's not needed if we're not doing 0-RTT sender auth.


XK(s, rs):
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se

XD(s, rs):
  <- s
  ...
  -> e
  <- e, ee, es
  -> s, se


NK(rs):
  <- s
  ...
  -> e, es
  <- e, ee

ND(rs):
  <- s
  ...
  -> e
  <- e, ee, es


KK(s, rs):
  -> s
  <- s
  ...
  -> e, es, ss
  <- e, ee, se

KD(s, rs):
  -> s
  <- s
  ...
  -> e
  <- e, ee, se, es


IK(s, rs):
  <- s
  ...
  -> e, es, s, ss
  <- e, ee, se

ID(s, rs):
  <- s
  ...
  -> e, s
  <- e, ee, se, es

?

Trevor