[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)
Justin Cormack
justin at specialbusservice.com
Mon Aug 6 02:31:22 PDT 2018
Looking at the ss modifer from the point of the generation rules, I
think the best
option may be to say that where there is an ss modifer it gets added after both
the DH es, se have been added. There is no need for ss modifiers here
as there is no real choice, its always at the end, and you get the
base patterns:
KKss:
-> s
<- s
...
-> e, es
<- e, ee, se, ss
KXss:
-> s
...
-> e
<- e, ee, se, s, es, ss
XKss:
<- s
...
-> e, es
<- e, ee
-> s, se, ss
IKss:
<- s
...
-> e, es, s
<- e, ee, se, ss
XXss:
-> e
<- e, ee, s, es
-> s, se, ss
IXss:
-> e, s
<- e, ee, se, s, es, ss
Note that KKss is not the same as KK (the ss is serving a different
function) and corresponds to your KKss2.
This rule seems simple and I don't think can be invalid, and just
replaces the default rule if you apply the ss
modifier. If you are using for this purpose I think this rule makes sense.
The deferred patterns are:
K1Kss:
-> s
<- s
...
-> e, es
<- e, ee
-> se, ss
KK1ss:
-> s
<- s
...
-> e
<- e, ee, se, es, ss
K1K1ss:
-> s
<- s
...
-> e
<- e, ee, es
-> se, ss
K1Xss:
-> s
...
-> e
<- e, ee, s, es
-> se, ss
KX1ss:
-> s
...
-> e
<- e, ee, se, s
-> es, ss
K1X1ss:
-> s
...
-> e
<- e, ee, s
-> se, es, ss
X1Kss:
<- s
...
-> e, es
<- e, ee
-> s
<- se, ss
XK1ss:
<- s
...
-> e
<- e, ee, es
-> s, se, ss
X1K1ss:
<- s
...
-> e
<- e, ee, es
-> s
<- se, ss
I1Kss:
<- s
...
-> e, es, s
<- e, ee
-> se, ss
IK1ss:
<- s
...
-> e, s
<- e, ee, se, es, ss
I1K1ss:
<- s
...
-> e, s
<- e, ee, es
-> se, ss
X1Xss:
-> e
<- e, ee, s, es
-> s
<- se, ss
XX1ss:
-> e
<- e, ee, s
-> es, s, se, ss
X1X1ss:
-> e
<- e, ee, s
-> es, s
<- se, ss
I1Xss:
-> e, s
<- e, ee, s, es
-> se, ss
IX1ss:
-> e, s
<- e, ee, se, s
-> es, ss
I1X1ss:
-> e, s
<- e, ee, s
-> se, es, ss
On 6 August 2018 at 01:02, Trevor Perrin <trevp at trevp.net> wrote:
> On Sat, Aug 4, 2018 at 9:36 AM, Nadim Kobeissi <nadim at symbolic.software> wrote:
>> Hello everyone,
>> In addition to the 13 PSK patterns added last week, the following five new
>> PSK patterns have been added today:
>
>
> Nice, I see you've covered all the PSK patterns in the spec. Were you
> just revalidating the existing properties for the PSK variants, or
> were you checking any properties related to the PSK itself?
>
> If you were just checking that adding the PSK doesn't invalidate the
> existing properties, I'd wonder if there's some way to get a more
> general analysis that adding independent secrets into the KDF can't
> harm existing security properties (and also: taking additional outputs
> from the KDF can't harm existing security properties, which would be
> useful for things like "Independent" ASKs).
>
> Shifting gears: Another task that would benefit from tooling and
> analysis is figuring out modifiers to add and remove "ss" tokens.
>
> To recap: one might want to add a static-static DH to existing
> patterns, to improve resistance to ephemeral-key compromise; or one
> might want to remove a static-static DH, to improve efficiency.
>
> We could probably do this with a "noss" modifer that deletes "ss", and
> also with "ss?" modifiers with ? replaced by the number of the
> handshake message that gets "ss" added to it (deleting an existing ss,
> if present).
>
> I think adding these to the existing fundamental patterns gets the
> following. Adding these to deferred patterns would take more thought,
> and in any case more analysis is needed, and making sure validity
> rules are respected:
>
>
> KKnoss:
> -> s
> <- s
> ...
> -> e, es[, -ss]
> <- e, ee, se
>
> KKss2:
> -> s
> <- s
> ...
> -> e, es
> <- e, ee, se[, ss]
>
>
> IKnoss:
> <- s
> ...
> -> e, es, s[, -ss]
> <- e, ee, se
>
> IKss2:
> <- s
> ...
> -> e, es, s
> <- e, ee, se[, ss]
>
>
> XKss3:
> <- s
> ...
> -> e, es
> <- e, ee
> -> s, se[, ss]
>
> XXss3:
> -> e
> <- e, ee, s, es
> -> s, se[, ss]
>
>
> KXss2:
> -> s
> ...
> -> e
> <- e, ee, se, s, es[, ss]
>
> IXss2:
> -> e, s
> <- e, ee, se, s, es[, ss]
>
>
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
More information about the Noise
mailing list