[noise] Extensions Roadmap: Discussion and Planning

Trevor Perrin trevp at trevp.net
Wed Aug 1 00:35:35 PDT 2018 

Hi all,

We have a lot of ideas for Noise extensions, but they're scattered
around the mailing list.  It's unclear if or when we're going to work
on them, who would do the work, how status would be tracked, etc.

We should get more organized:  I'd like create a roadmap and rough
schedule for extension documents for next several months, and start
tracking progress (e.g. Wiki and Github).  Providing more visibility
about our plans and progress should help all sorts of things,
including getting more people involved and more happening in parallel.

To start discussions about this, I'll propose the 10 extensions I
think should be next on the roadmap.  I'll also propose trying to get
them written-up in "official/unstable" documents in 2018, so we could
test them and pronounce them stable in 2019 (and create another set of
unstable extensions then).

So this is a proposal for versioning, too:  We could have yearly sets
of stable and unstable official extensions, and if a protocol uses
extensions from the "stable set" from 2019 (or 2020 etc), it will be
compatible with libraries which implement this set.

If the below set is good to tackle in 2018, we could move this list
onto the Wiki and create Github projects for each of them, plus see if
we can get people interested in starting drafts.

For now, I'm just looking for feedback on these extension ideas, or
thoughts about process/organization/etc.


Extension ideas
================
The 10 extension proposals are in 4 categories:

 * Symmetric Crypto:  Extracting additional keys or hashing additional
inputs; or using new types of symmetric crypto

 * Advanced 0-RTT:  Additional ways to perform 0-RTT encryption
(besides encrypting to a long-term static)

 * New Patterns: Covering simple modifiers (e.g. adding "ss"), plus
complex "multi-algorithm" handshake patterns that could combine
signatures, KEMs, and different DH types.

 * Framing/Negotiation:  NoiseSocket and NLS to provide fleshed-out
protocols with framing and negotiation added.


Symmetric Crypto
-----------------
Additional Symmetric Keys
 - Enables applications to derive additional output keys during both
handshake and transport phases
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001792.html
   https://moderncrypto.org/mail-archive/noise/2018/001713.html

Additional Hashing
 - Enables applications to hash additional inputs during handshakes, a
bit similar to PSK
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001792.html

Symmetric-Crypto Overhaul
 - Options for using sponge/duplex/permutation crypto like
Strobe/Disco; and non-HMAC hashing
 - References: (TBD, Disco/Strobe discussions are a start, but I'm
working on a proposal for this as well)


Advanced 0-RTT
---------------
PSK Resumption
 - Uses ASK mechanism to derive resumption PSKs
 - Depends on: Additional Symmetric Keys and Additional Hashing
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001713.html
   https://moderncrypto.org/mail-archive/noise/2018/001636.html

Short-lived Statics with Offline Signing Keys
 - Description: Uses short-lived statics signed by an offline signing
key, for public-key 0-RTT with improved security
 - Depends on: Additional Hashing
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001792.html


New Patterns
-------------
Static-Static Patterns
 - Options for adding or removing the "ss" token from handshake patterns
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001713.html
   https://moderncrypto.org/mail-archive/noise/2018/001713.html

Multi-Algorithm Patterns
 - Patterns for signatures, KEMs, multiple DH algorithms, and mixtures thereof
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001793.html
   https://moderncrypto.org/mail-archive/noise/2018/001713.html

Wildcard Patterns
 - Patterns with dynamically-transmitted fields to indicate types of
keys and authentication algorithms
 - References:
   https://moderncrypto.org/mail-archive/noise/2018/001713.html


Framing and Negotiation
------------------------
NoiseSocket
 - Adds framing headers and plaintext-padding for Noise over
stream-based transports

NLS
 - Combines the "NoiseLingo" protobuf-based negotiation language with
NoiseSocket to form "NoiseLingoSocket", plus default NLS profiles
(NoiseLink and NoiseBox variants)
 - depends on: NoiseSocket

Trevor

More information about the Noise mailing list