[noise] Planning for revision 34

[Trevor Perrin]

We're probably due for another spec revision.  I'll propose these additions:

 (1) Add "Alice and Bob" roles and the notion of "compound protocols" [1]
 (2) Add new "deferred" patterns [2]
 (3) Add discussion of security properties against an attacker trying
to test server identities for equality [3]
 (4) Clarify indistinguishability requirement for the encryption scheme  [4]

Anything else?  If people are OK with this, I'll start drafting it soon.

---

The "Alice and Bob" thing hasn't been discussed in awhile, so I'll
summarize the goals and idea here:

This is to clarify roles in "compound" protocols where the parties
start one Noise protocol, then switch to a different one (e.g. the
fallback case in Noise Pipes).  The Initiator/Responder roles would
switch in this case,  since the responder in the first Noise protocol
becomes the initiator of the fallback protocol.  So it's helpful to
have roles which do *not* switch.

The key points are:
 * "Alice" is the initiator of the first Noise protocol in a compound protocol
 * Alice is always the left-most party in handshake pattern notation,
and Bob is the right-most
 * For notational convenience, allow patterns to be written in either
Alice-initiated or Bob-initiated form.  This was previously a special
rule for fallback, but for generality we'd allow all patterns to be
written this way.

So these are Alice-initiated and Bob-initiated notations for the same pattern:

NX(rs):
  -> e
  <- e, ee, s, es

NX(s):
  <- e
  -> e, ee, s, se


And also these:

XXfallback(s, re, rs):
  <- e
  ...
  -> e, ee, s, se
  <- s, es

XXfallback(e, s, rs):
  -> e
  ...
  <- e, ee, s, es
  -> s, se


Trevor


[1] https://moderncrypto.org/mail-archive/noise/2017/001321.html
[2] https://moderncrypto.org/mail-archive/noise/2018/001474.html
[3] https://moderncrypto.org/mail-archive/noise/2018/001438.html
[4] https://moderncrypto.org/mail-archive/noise/2018/001469.html