[noise] earlier IK

Arvid Picciani aep at exys.org
Wed May 19 05:07:28 PDT 2021

In order to not share the responder static key between multiple servers,
i am considering creating a responder key per initiator.
the responder key is then loaded hot only when needed and can be revoked
more fine grained.

This would require the responder to know which key to load. The current IK
pattern has the initiator static encrypted with the responder static, so i
can't look up the matching receiver keys.

I could just use IX , but i actually want encrypted 0RTT payload,

so something like

      <- s
      -> s, ss, e, es
      <- e, ee, se

i'm assuming 0RTT payload has the same protection as IK, i.e. Source 1 and
Destination 2,
except it looses identity hiding, as that's kind of the point

is this correct?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20210519/401481bb/attachment.htm>

More information about the Noise mailing list