[noise] earlier IK

Justin Cormack justin at specialbusservice.com
Wed May 19 06:33:14 PDT 2021


Knowing the public key isn't a security issue, other than what it
reveals about identity.

Justin

On Wed, 19 May 2021 at 14:17, Arvid Picciani <aep at exys.org> wrote:
>
> yes.
> actually, there might be a better option. If i send the _responder_ static key in prelude we get some minimal identity hiding because the responder key changes frequently.
>
> however, i'm unsure about the security implications because  noise never sends the responder static anywhere for precedent.
> Does an attacker gain any advantage by knowing the public key for the responder? Is it easier to break then maybe since they can also observe the 0RTT payload encrypted for that recipient?
>
> On Wed, May 19, 2021 at 3:08 PM Filippo Valsorda <filippo at ml.filippo.io> wrote:
>>
>> Sounds like what you want is KK with the initiator's s in the prologue.
>>
>> You obviously lose all initiator identity hiding, but otherwise it should have the same payload properties as regular KK.
>>
>> 2021-05-19 14:07 GMT+02:00 Arvid Picciani <aep at exys.org>:
>>
>> In order to not share the responder static key between multiple servers,
>> i am considering creating a responder key per initiator.
>> the responder key is then loaded hot only when needed and can be revoked more fine grained.
>>
>> This would require the responder to know which key to load. The current IK pattern has the initiator static encrypted with the responder static, so i can't look up the matching receiver keys.
>>
>> I could just use IX , but i actually want encrypted 0RTT payload,
>>
>> so something like
>>
>> XIK:
>>       <- s
>>       ...
>>       -> s, ss, e, es
>>       <- e, ee, se
>>
>> i'm assuming 0RTT payload has the same protection as IK, i.e. Source 1 and Destination 2,
>> except it looses identity hiding, as that's kind of the point
>>
>> is this correct?
>>
>> thanks,
>> Arvid
>>
>> --
>> +4916093821054
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise
>>
>>
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise
>
>
>
> --
> +4916093821054
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise


More information about the Noise mailing list