[noise] Implementing HFS support for Noise

[Daan Sprenkels]

Hey all,

As David already mentioned yesterday, I have spent some efforts on
implementing HFS support for the snow implementation in Rust this week
[1], based on the spec from [2]. Currently, there is a fully functional
proof-of-concept.

I also have a a couple points of discussion on which I hope to get some
general feedback.


## HFS patterns

Trevor's HFS spec makes no mention of how to specify the KEM that is to
be used. There seem to be a couple of straightforward options:

1. Add the name into the pattern after the DH-scheme seperated with a
   `+`, for example: `Noise_XXhfs_25519+Kyber1024_AESGCM_SHA256`. This
   was already proposed by [3].
2. Make this library-dependent (i.e. view this in the same way as
   loading static keys).

I feel there is a general preference to the first one. What do you
think? Should we standardize the first format?


## Selecting post-quantum KEMs

For snow, I have used Kyber1024, by request of David, (and also because
of personal affiliation). However, to provide the users with some
choice, we should maybe also decide on a second one to "unofficially"
standardize. In any case, I agree to update to the winners from the NIST
competition once that's finished. Until then, should we implement a
second one (and which)?

---

I hope that I'm not overestimating the interest for post-quantum noise.
I know that the Katzenpost project is interested, but do you guys know
if there are any other users that want this?


Regards,
Daan Sprenkels


[1]: https://github.com/mcginty/snow/pull/61
[2]:
https://github.com/noiseprotocol/noise_hfs_spec/blob/master/output/noise_hfs.pdf
[3]:
https://github.com/noiseprotocol/noise_spec/blob/41d478d3dd97d77a6695f4d6cf6283e2830e9ca6/extensions/ext_hybrid_forward_secrecy.md