[noise] Noise handshake pattern validity question

Loup Vaillant-David loup at loup-vaillant.fr
Fri Jun 4 10:20:42 PDT 2021

> In practice, if we take the IX handshake pattern:
> -> e, s
> <- e, ee, se, s, es
> What would be the negative effects of removing 'ee' from it?
> -> e, s
> <- e, se, s, es

Loss of forward secrecy. You can no longer guarantee that leaking the
long term keys will not break the secrecy of past key exchanges. In
this case:

- Leaking the client key compromises the `se` exchange.
- Leaking the server key compromises the `es` exchange.
- Compromising both compromise *both* exchanges, and breaks secrecy.

The `ee` exchange on the other hand is never compromised by future
leaks (the private halves are erased). That's why you need it.

Note that the only Noise patterns that do not have `ee` are the non-
interactive patterns N, X, and K. That's because the recipient does not
respond, and as such cannot provide an ephemeral key of its own. This
makes forward secrecy impossible to achieve: if the recipient key is
leaked, then the message is revealed. That's a big reason why we favour
interactive protocols whenever possible.


More information about the Noise mailing list