[noise] Generating patterns, and ss tokens

Trevor Perrin trevp at trevp.net
Thu Jun 21 09:28:26 PDT 2018


On Wed, Jun 20, 2018 at 2:33 AM, Justin Cormack
<justin at specialbusservice.com> wrote:
> The original version was missing a few; I tidied it up and checked the
> patterns and can confirm it generates exactly the
> same patterns as the v34 spec, other than the fact they contain "ss"
> tokens where possible.


Ah, very nice!  If you were able to describe the logic concisely that
could be a great Appendix for the Noise spec.

Regarding ss, the rule I was following for non-deferred patterns was:

 * Only add an ss if it adds some authentication of the initiator in
the first message.

This means that ss only gets added to IK and KK, since those are the
cases where the initiator is capable of authenticating itself with ss
but not se, in the first message.

The rationale was that ss is worth doing for extra authentication
properties, but I wasn't trying to use ss for resilience against
ephemeral-key compromise.  I assumed we could have a modifier that
added that property later, for people who want it and are willing to
pay the cost of the extra DH.

Whether this was the optimal decision is hard to say, but at least for
the fundamental patterns we are probably locked into it.

For the deferred patterns we still have options, I'll respond to your
later message.

Trevor


More information about the Noise mailing list