On Tue, Jul 13, 2021 at 11:34:47AM -0700, Trevor Perrin wrote: > You also wanted to add an (optional) pre-shared key, which Noise supports: > > NKpsk0: > <- s > ... > -> psk, e, es > <- e, ee
Out of curiosity, Trevor, what properties does this Noise protocol provide for low-entropy psk? Nick, what are the settings in Tor (if any) in which low-entropy psk will come up? But this post from Trevor also made me realize a bigger issue with the protocol Nick proposed: If you want the protocol to work with Walking Onions, it needs to be *post-specified peer*. That is, contrary to: > The client knows: > * B: a public "onion key" for S The client will in fact _not_ know B in advance in a Walking Onions setting, but rather will learn it at the end of the handshake. The protocol Nick specified does in fact use B in the first message, unlike the current ntor handshake, which just sends KEYID(B) in the first flow, but it's not part of the math, or indeed as far as I can see, used for anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily removed (and replaced with B being sent by the server) for Walking Onions. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev