[noise] earlier IK
filippo at ml.filippo.io
Wed May 19 06:07:23 PDT 2021
Sounds like what you want is KK with the initiator's s in the prologue.
You obviously lose all initiator identity hiding, but otherwise it should have the same payload properties as regular KK.
2021-05-19 14:07 GMT+02:00 Arvid Picciani <aep at exys.org <mailto:aep%40exys.org>>:
> In order to not share the responder static key between multiple servers,
> i am considering creating a responder key per initiator.
> the responder key is then loaded hot only when needed and can be revoked more fine grained.
> This would require the responder to know which key to load. The current IK pattern has the initiator static encrypted with the responder static, so i can't look up the matching receiver keys.
> I could just use IX , but i actually want encrypted 0RTT payload,
> so something like
> <- s
> -> s, ss, e, es
> <- e, ee, se
> i'm assuming 0RTT payload has the same protection as IK, i.e. Source 1 and Destination 2,
> except it looses identity hiding, as that's kind of the point
> is this correct?
> Noise mailing list
> Noise at moderncrypto.org <mailto:Noise%40moderncrypto.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise