[noise] multi algorithm handshakes - alternative formulation (was Re: "sig" modifier (was: Extension spec: Static-Static Pattern Modifiers))

[Justin Cormack]

On Wed, 28 Nov 2018 at 09:24, Trevor Perrin <trevp at trevp.net> wrote:
> I'm not sure what the composition rules are though, and whether
> they're well-behaved and simple if we wrote them down?

I think that you can use the pattern derivation rules from the spec,
with the following modifications:
1. remove duplicated ephemerals of the same type, so we do not
duplicate e or ee.
2. apply the rules for each pattern being appended in turn.

However, this does not cover the modification of moving some messages
later so that they can be encrypted, which would involve some further
rule tweaks.

> Also, how to specify different public-key algorithms needs more
> thought, since different patterns could reference the same or
> different signature/KEM/DH algorithms, initiator or responder could
> use multiple algorithms, etc.
>
> For  example, we could add numbers to the end of each modifier which
> apply to the modified tokens and reference some public key algorithm:
>
> XXsig1_25519+Ed25519:
>  -> e
>  <- e, ee, s1, sig1
>  -> s1, sig1

Yes that might help. I need to write some more examples, to look
at what is clear.

> But you were also writing sig patterns without a number suffix, so I'm
> not sure which approach is most composable (and it would be good to
> figure something out at least for signatures, so we can knock out a
> sig spec soon).

Yes I am not sure if omitting the numbers is a good idea. Probably it is best
to be consistent.

Justin