[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)

[Trevor Perrin]

On Tue, Aug 7, 2018 at 8:56 AM, Justin Cormack
<justin at specialbusservice.com> wrote:
> Actually the simplest generation rule that doesnt generate invalid
> patterns, and which produces the early patterns for the standard
> patterns is to do ss as early as possible (after es or se as applicable)
> but to defer it if the other side is deferred (so as to avoid being too early
> and so being invalid) puts the ss at the end for all the deferred patterns:
>
> I kind of quite like the fact it is a simple rule but it also generates the same
> standard patterns so we dont have two versions of KK and IK. While a few
> of the deferred patterns could have ss one line earlier I dont think
> this matters.

OK, so I think there's 2 questions you're answering with the "ss"
patterns below:

 * You're using the "late" choice for deferred patterns (which you've
done consistently), and leaving out the "early" option I mentioned.  I
think I agree with this:  If you've chosen to defer the more-important
authentication DHs (se and es), it seems you probably would want to
defer the less-important ss DH that is just supplying a bit more
forward-secrecy against an unusual attack.  Also, this is fairly
simple, and doesn't preclude us adding the other patterns later, if we
think of a reason for them.

 * You're making KKss and IKss identical with existing KK and IK,
instead of putting the "ss" on the end.  Not sure I agree here, seems
like it gains us more flexibility to have a different option, and
perhaps more consistency to have the "ss" modified patterns always
have "ss" at the end.  Also, it seems possible you might prefer to
skip the early "ss" for denial-of-service or (in KK) identity-hiding
reasons.

Anyways, I think we're converging on something - if you have time it
would be great to start a spec and link from wiki, also so we can get
Nadim some tentative patterns to analyze.

Trevor