[noise] earlier IK
Filippo Valsorda
filippo at ml.filippo.io
Wed May 19 06:07:23 PDT 2021
Sounds like what you want is KK with the initiator's s in the prologue.
You obviously lose all initiator identity hiding, but otherwise it should have the same payload properties as regular KK.
2021-05-19 14:07 GMT+02:00 Arvid Picciani <aep at exys.org <mailto:aep%40exys.org>>:
> In order to not share the responder static key between multiple servers,
> i am considering creating a responder key per initiator.
> the responder key is then loaded hot only when needed and can be revoked more fine grained.
>
> This would require the responder to know which key to load. The current IK pattern has the initiator static encrypted with the responder static, so i can't look up the matching receiver keys.
>
> I could just use IX , but i actually want encrypted 0RTT payload,
>
> so something like
>
> XIK:
> <- s
> ...
> -> s, ss, e, es
> <- e, ee, se
>
> i'm assuming 0RTT payload has the same protection as IK, i.e. Source 1 and Destination 2,
> except it looses identity hiding, as that's kind of the point
>
> is this correct?
>
> thanks,
> Arvid
>
> --
> +4916093821054
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org <mailto:Noise%40moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/noise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20210519/275ed34d/attachment.htm>
More information about the Noise
mailing list