[noise] Generating patterns, and ss tokens
Trevor Perrin
trevp at trevp.net
Thu Jun 21 19:08:10 PDT 2018
On Thu, Jun 21, 2018 at 9:51 PM, Justin Cormack
<justin at specialbusservice.com> wrote:
[Trevor]:
>> So maybe the most consistent approach would be to preserve the ss, and
>> have a set of modifiers that are capable of both adding and removing
>> ss?
[...]
>
> Yes I think this is more consistent. The drop ss modifier (harder to name!) is
> probably more useful; adding ss could add by default in the first
> place possible,
> or perhaps use eg ss1 if you want to move it, not sure if specifying these is
> worthwhile immediately.
Here is another wrinkle: it's easy to change the draft 34 and add
"ss" back into, say, K1K (or I1K).
But it's not so easy to add "ss" back into KK1 and K1K1 (or IK1 and
I1K1), due to the validity rule I was just discussing with Karthik.
KK1 and K1K1 would defer the authentication from the first message,
and Noise doesn't let you send a message relying only on static-static
DH for authenticating the recipient, when you are capable of an
ephemeral-static DH.
In this case, the validity rule isn't protecting you from any replay
attack (I think), so we could consider rejiggering the validity rule
to allow the "ss" here. But I like Noise's strictness: if you can do
an ephemeral-static DH it's a bad idea to rely on a static-static DH
instead.
So given this, would we still want to add the ss into K1K and I1K, or
leave it out? Adding it makes KK and K1K more similar, but leaving it
out makes all the deferred patterns more similar...
KK:
-> s
<- s
...
-> e, es, ss
<- e, ee, se
K1K:
-> s
<- s
...
-> e, es[, ss]
<- e, ee
-> se
KK1:
-> s
<- s
...
-> e
<- e, ee, se, es
K1K1:
-> s
<- s
...
-> e
<- e, ee, es
-> se
IK:
<- s
...
-> e, es, s, ss
<- e, ee, se
I1K:
<- s
...
-> e, es, s[, ss]
<- e, ee
-> se
IK1:
<- s
...
-> e, s
<- e, ee, se, es
I1K1:
<- s
...
-> e, s
<- e, ee, es
-> se
Trevor
More information about the Noise
mailing list