[noise] Source and destination properties of X1N and NX1

Guillaume Girol guillaume.girol_noise at m4x.org
Sun Feb 10 11:22:51 PST 2019


Hello,

I believe there are two typos in the section 18.2 of the specification.
It gives these security levels for X1N:

X1N
  -> e                      0                0
  <- e, ee                  0                1
  -> s                      0                1
  <- se                     0                3
  ->                        2                1
The last handshake message is labeled destination level 3 because an
attacker can forge the first message and only compromise the initiator's
static long later, but it seems like this does not work with the second
transport message anymore. As if a line
  <-                        0                5
had been inadvertantly omitted in the table.
This is consistent with XN.

For NX1, it seems like the two last lines have been swapped:
NX1
  -> e                      0                0
  <- e, ee, s               0                1
  -> es                     0                3
  ->                        2                1
  <-                        0                5

should probably be:
NX1
  -> e                      0                0
  <- e, ee, s               0                1
  -> es                     0                3
  <-                        2                1
  ->                        0                5

Destination level 1 is 'encryption to an ephemeral recipient' so it does
not fit a transport message to an agent with a static key.

Best regards,
Guillaume Girol


More information about the Noise mailing list