diff options
author | trevnoise <noise@trevp.net> | 2017-05-11 01:22:38 +0000 |
---|---|---|
committer | trevnoise <noise@trevp.net> | 2017-05-11 01:22:38 +0000 |
commit | 39a9d2bea8cf354f3f623e6a0b1b68068401b8bf (patch) | |
tree | 95d7f3dd5b10453d3647452a847744297ade3c36 | |
parent | Pagination (diff) | |
download | noise-39a9d2bea8cf354f3f623e6a0b1b68068401b8bf.tar.xz noise-39a9d2bea8cf354f3f623e6a0b1b68068401b8bf.zip |
Mention "psk" token earlier
-rw-r--r-- | noise.md | 9 | ||||
-rw-r--r-- | output/noise.html | 7 | ||||
-rw-r--r-- | output/noise.pdf | bin | 361916 -> 362053 bytes |
3 files changed, 11 insertions, 5 deletions
@@ -265,7 +265,7 @@ Noise depends on the following **cipher functions**: * **`REKEY(k)`**: Returns a new 32-byte cipher key as a pseudorandom function of `k`. If this function is not specifically defined for some set of cipher functions, then it defaults to returning the first 32 bytes from `ENCRYPT(k, - maxnonce, zerolen, zeros)`, where `MAXNONCE` equals 2^64^-1, `zerolen` is a + maxnonce, zerolen, zeros)`, where `maxnonce` equals 2^64^-1, `zerolen` is a zero-length byte sequence, and `zeros` is a sequence of 32 bytes filled with zeros. @@ -419,6 +419,8 @@ A `SymmetricState` responds to the following methods: * If `HASHLEN` is 64, then truncates `temp_k` to 32 bytes. * Calls `InitializeKey(temp_k)`. +\newpage + * **`EncryptAndHash(plaintext)`**: Sets `ciphertext = EncryptWithAd(h, plaintext)`, calls `MixHash(ciphertext)`, and returns `ciphertext`. Note that if `k` is `empty`, the `EncryptWithAd()` call will set `ciphertext` equal to `plaintext`. @@ -455,8 +457,9 @@ portion of the handshake pattern: * **`initiator`**: A boolean indicating the initiator or responder role. * **`message_patterns`**: A sequence of message patterns. Each message - pattern is a sequence of tokens from the set `("e", "s", "ee", "es", - "se", "ss")`. + pattern is a sequence of tokens from the set `("e", "s", "ee", "es", "se", + "ss")`. (An additional `"psk"` token is introduced in [Section + 9](pre-shared-symmetric-keys), but we defer its explanation until then.) A `HandshakeState` responds to the following methods: diff --git a/output/noise.html b/output/noise.html index 965bacc..cf56b09 100644 --- a/output/noise.html +++ b/output/noise.html @@ -168,7 +168,7 @@ <ul> <li><p><strong><code>ENCRYPT(k, n, ad, plaintext)</code></strong>: Encrypts <code>plaintext</code> using the cipher key <code>k</code> of 32 bytes and an 8-byte unsigned integer nonce <code>n</code> which must be unique for the key <code>k</code>. Returns the ciphertext. Encryption must be done with an "AEAD" encryption mode with the associated data <code>ad</code> (using the terminology from <span class="citation">[<a href="#ref-Rogaway:2002">1</a>]</span>) and returns a ciphertext that is the same size as the plaintext plus 16 bytes for authentication data. The entire ciphertext must be indistinguishable from random if the key is secret.</p></li> <li><p><strong><code>DECRYPT(k, n, ad, ciphertext)</code></strong>: Decrypts <code>ciphertext</code> using a cipher key <code>k</code> of 32 bytes, an 8-byte unsigned integer nonce <code>n</code>, and associated data <code>ad</code>. Returns the plaintext, unless authentication fails, in which case an error is signaled to the caller.</p></li> -<li><p><strong><code>REKEY(k)</code></strong>: Returns a new 32-byte cipher key as a pseudorandom function of <code>k</code>. If this function is not specifically defined for some set of cipher functions, then it defaults to returning the first 32 bytes from <code>ENCRYPT(k, maxnonce, zerolen, zeros)</code>, where <code>MAXNONCE</code> equals 2<sup>64</sup>-1, <code>zerolen</code> is a zero-length byte sequence, and <code>zeros</code> is a sequence of 32 bytes filled with zeros.</p></li> +<li><p><strong><code>REKEY(k)</code></strong>: Returns a new 32-byte cipher key as a pseudorandom function of <code>k</code>. If this function is not specifically defined for some set of cipher functions, then it defaults to returning the first 32 bytes from <code>ENCRYPT(k, maxnonce, zerolen, zeros)</code>, where <code>maxnonce</code> equals 2<sup>64</sup>-1, <code>zerolen</code> is a zero-length byte sequence, and <code>zeros</code> is a sequence of 32 bytes filled with zeros.</p></li> </ul> <h2 id="hash-functions">4.3. Hash functions</h2> <p>Noise depends on the following <strong>hash function</strong> (and associated constants):</p> @@ -244,6 +244,9 @@ <li>If <code>HASHLEN</code> is 64, then truncates <code>temp_k</code> to 32 bytes.</li> <li>Calls <code>InitializeKey(temp_k)</code>.</li> </ul></li> +</ul> + +<ul> <li><p><strong><code>EncryptAndHash(plaintext)</code></strong>: Sets <code>ciphertext = EncryptWithAd(h, plaintext)</code>, calls <code>MixHash(ciphertext)</code>, and returns <code>ciphertext</code>. Note that if <code>k</code> is <code>empty</code>, the <code>EncryptWithAd()</code> call will set <code>ciphertext</code> equal to <code>plaintext</code>.</p></li> <li><p><strong><code>DecryptAndHash(ciphertext)</code></strong>: Sets <code>plaintext = DecryptWithAd(h, ciphertext)</code>, calls <code>MixHash(ciphertext)</code>, and returns <code>plaintext</code>. Note that if <code>k</code> is <code>empty</code>, the <code>DecryptWithAd()</code> call will set <code>plaintext</code> equal to <code>ciphertext</code>.</p></li> <li><strong><code>Split()</code></strong>: Returns a pair of <code>CipherState</code> objects for encrypting transport messages. Executes the following steps, where <code>zerolen</code> is a zero-length byte sequence: @@ -266,7 +269,7 @@ <p>A <code>HandshakeState</code> also has variables to track its role, and the remaining portion of the handshake pattern:</p> <ul> <li><p><strong><code>initiator</code></strong>: A boolean indicating the initiator or responder role.</p></li> -<li><p><strong><code>message_patterns</code></strong>: A sequence of message patterns. Each message pattern is a sequence of tokens from the set <code>("e", "s", "ee", "es", "se", "ss")</code>.</p></li> +<li><p><strong><code>message_patterns</code></strong>: A sequence of message patterns. Each message pattern is a sequence of tokens from the set <code>("e", "s", "ee", "es", "se", "ss")</code>. (An additional <code>"psk"</code> token is introduced in <a href="pre-shared-symmetric-keys">Section 9</a>, but we defer its explanation until then.)</p></li> </ul> <p>A <code>HandshakeState</code> responds to the following methods:</p> <ul> diff --git a/output/noise.pdf b/output/noise.pdf Binary files differindex e0c0a7b..3549263 100644 --- a/output/noise.pdf +++ b/output/noise.pdf |