[noise] earlier IK

Filippo Valsorda filippo at ml.filippo.io
Wed May 19 06:07:23 PDT 2021

Sounds like what you want is KK with the initiator's s in the prologue.

You obviously lose all initiator identity hiding, but otherwise it should have the same payload properties as regular KK.

2021-05-19 14:07 GMT+02:00 Arvid Picciani <aep at exys.org <mailto:aep%40exys.org>>:
> In order to not share the responder static key between multiple servers,
> i am considering creating a responder key per initiator.
> the responder key is then loaded hot only when needed and can be revoked more fine grained.
> This would require the responder to know which key to load. The current IK pattern has the initiator static encrypted with the responder static, so i can't look up the matching receiver keys.
> I could just use IX , but i actually want encrypted 0RTT payload,
> so something like
> XIK:
>       <- s
>       ...
>       -> s, ss, e, es
>       <- e, ee, se
> i'm assuming 0RTT payload has the same protection as IK, i.e. Source 1 and Destination 2,
> except it looses identity hiding, as that's kind of the point
> is this correct?
> thanks,
> Arvid
> --
> +4916093821054
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org <mailto:Noise%40moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/noise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20210519/275ed34d/attachment.htm>

More information about the Noise mailing list