[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)
Nadim Kobeissi
nadim at symbolic.software
Tue Aug 14 21:29:27 PDT 2018
Pattern analysis for KKnoss, IKnoss, KKss, KXss, XKss and IKss has begun
and should be completed within a few hours.
Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office
On Wed, Aug 15, 2018 at 12:23 AM Justin Cormack <
justin at specialbusservice.com> wrote:
> On 14 August 2018 at 16:56, Trevor Perrin <trevp at trevp.net> wrote:
> > OK, so I think there's 2 questions you're answering with the "ss"
> > patterns below:
> >
> > * You're using the "late" choice for deferred patterns (which you've
> > done consistently), and leaving out the "early" option I mentioned. I
> > think I agree with this: If you've chosen to defer the more-important
> > authentication DHs (se and es), it seems you probably would want to
> > defer the less-important ss DH that is just supplying a bit more
> > forward-secrecy against an unusual attack. Also, this is fairly
> > simple, and doesn't preclude us adding the other patterns later, if we
> > think of a reason for them.
> >
> > * You're making KKss and IKss identical with existing KK and IK,
> > instead of putting the "ss" on the end. Not sure I agree here, seems
> > like it gains us more flexibility to have a different option, and
> > perhaps more consistency to have the "ss" modified patterns always
> > have "ss" at the end. Also, it seems possible you might prefer to
> > skip the early "ss" for denial-of-service or (in KK) identity-hiding
> > reasons.
>
> Ok, well that gives the "always put the ss at the end" rule, which is also
> pretty simple. There aren't any other possibilities with any of the non
> deferred patterns anyway, so ok with that choice.
>
> > Anyways, I think we're converging on something - if you have time it
> > would be great to start a spec and link from wiki, also so we can get
> > Nadim some tentative patterns to analyze.
>
> Will do, am away for a bit and not sure how much time I will have
> immediately
> but will see.
>
> For reference these are the patterns if Nadim has time to analyze...
>
> KKnoss:
> -> s
> <- s
> ...
> -> e, es
> <- e, ee, se
>
> IKnoss:
> <- s
> ...
> -> e, es, s
> <- e, ee, se
>
>
> KKss:
> -> s
> <- s
> ...
> -> e, es
> <- e, ee, se, ss
>
> KXss:
> -> s
> ...
> -> e
> <- e, ee, se, s, es, ss
>
> XKss:
> <- s
> ...
> -> e, es
> <- e, ee
> -> s, se, ss
>
> IKss:
> <- s
> ...
> -> e, es, s
> <- e, ee, se, ss
>
> XXss:
> -> e
> <- e, ee, s, es
> -> s, se, ss
>
> IXss:
> -> e, s
> <- e, ee, se, s, es, ss
>
>
> K1Kss:
> -> s
> <- s
> ...
> -> e, es
> <- e, ee
> -> se, ss
>
> KK1ss:
> -> s
> <- s
> ...
> -> e
> <- e, ee, se, es, ss
>
> K1K1ss:
> -> s
> <- s
> ...
> -> e
> <- e, ee, es
> -> se, ss
>
> K1Xss:
> -> s
> ...
> -> e
> <- e, ee, s, es
> -> se, ss
>
> KX1ss:
> -> s
> ...
> -> e
> <- e, ee, se, s
> -> es, ss
>
> K1X1ss:
> -> s
> ...
> -> e
> <- e, ee, s
> -> se, es, ss
>
> X1Kss:
> <- s
> ...
> -> e, es
> <- e, ee
> -> s
> <- se, ss
>
> XK1ss:
> <- s
> ...
> -> e
> <- e, ee, es
> -> s, se, ss
>
> X1K1ss:
> <- s
> ...
> -> e
> <- e, ee, es
> -> s
> <- se, ss
>
> I1Kss:
> <- s
> ...
> -> e, es, s
> <- e, ee
> -> se, ss
>
> IK1ss:
> <- s
> ...
> -> e, s
> <- e, ee, se, es, ss
>
> I1K1ss:
> <- s
> ...
> -> e, s
> <- e, ee, es
> -> se, ss
>
> X1Xss:
> -> e
> <- e, ee, s, es
> -> s
> <- se, ss
>
> XX1ss:
> -> e
> <- e, ee, s
> -> es, s, se, ss
>
> X1X1ss:
> -> e
> <- e, ee, s
> -> es, s
> <- se, ss
>
> I1Xss:
> -> e, s
> <- e, ee, s, es
> -> se, ss
>
> IX1ss:
> -> e, s
> <- e, ee, se, s
> -> es, ss
>
> I1X1ss:
> -> e, s
> <- e, ee, s
> -> se, es, ss
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180815/e032482c/attachment.html>
More information about the Noise
mailing list