[noise] rev34 draft

Trevor Perrin trevp at trevp.net
Sun Apr 8 22:11:04 PDT 2018 

Hi all,

I've created a draft for revision 34 of the Noise spec.  Hoping to
publish this at end of the month:

https://github.com/noiseprotocol/noise_spec/tree/rev34
https://github.com/noiseprotocol/noise_spec/blob/rev34/output/noise.pdf

This follows the plan from [1], though the terminology on some things
changed a bit as I worked through it:

 (1) For handling "compound protocols" built out of multiple Noise
protocols, like in Noise Pipes or NLS, I added the notion of "Alice"
and "Bob" roles, and "Bob-initiated" handshake pattern notation
(versus "Alice-initiated" aka "canonical form").  This replaces the
earlier special-case handling of "fallback protocols" and I think
gives us better concepts, terms, and notation here, which is aligned
with the NLS work.

 (2) Added 22 new "deferred" patterns in addition to the current 12
"fundamental" patterns.  These new patterns give us some different
properties wrt identity-hiding, smaller initial messages (skipping
0-RTT encryption), and put us within striking distance of signatures
and KEMs.

 (3) Improved the discussion of identity-hiding to cover the
"equality-test" attack, which I had missed previously.

 (4) Added a sentence clarifying the indistinguishability requirement
on the ciphertext, per list discussion.

 (5) Some small clarifications brought up by Katriel Cohn-Gordon, and
Justin Cormack.


No substantive changes apart from adding new patterns.  This spec is
marked"official/unstable", the "unstable" due to the addition of new
patterns.

Alternatively we could put the new patterns in a separate document and
mark this as "stable".  However, because some of these patterns are
sometimes better versions of existing patterns (e.g. NK1 vs NK; XK1
versus XK), I think it makes sense to have them as part of the core.

---

One notation change came up:  we'd been listing the keypair inputs to
a handshake pattern in parentheses:

NK(rs):
 -> e, es
 <- e, ee

This is redundant since the inputs can be inferred from the pattern
contents.  I thought it would make patterns a little easier to read,
but once we have Bob-initiated patterns the meaning of the
parenthesized terms becomes more confusing than helpful, I think.  So
I removed the parenthesized terms, so NK in canonical and
Bob-initiated form now looks like following:

NK:
 -> e, es
 <- e, ee

NK:
 <- e, se
 -> e, ee


Trevor

[1] https://moderncrypto.org/mail-archive/noise/2018/001475.html

More information about the Noise mailing list