justincormack · September 2, 2018 19:47
diff --git a/ss and noss Noise modifiers b/ss and noss Noise modifiers
 ## Modifiers for ss tokens

 The K, X, KK and IK patterns have an "ss" token in the first line. These are there on the basis that this adds some
 authentication for the initiator, but it is not at that point capable of using the standard "se", as it does not have
 the responders ephemeral key yet. In some cases this may not be needed, for example if the initiator is not sending
 a premessage at this point in the handshake, especially for the two way handshakes. For this reason there is a "noss"
 modifier that omits the "ss" token from these handshakes. This improves performance slightly by omitting one DH
 operation.

 Conversely there are use cases where adding an "ss" token is useful, as it can strengthen the authentication for a
 handshake, requiring that at least one of the long term keys is compromised in order for the attacker to compute the
 "ss" DH. For this use case there is an "ss" pattern modifier, which adds the "ss" token after the "es" and "se"
 tokens.

 ## Amends to Appendix for pattern derivation rules

 For the initiator, rule 5 for ss is removed in the "noss" case. For the "ss" modifier, it is changed to perform "ss"
 if "se" and "es" have been performed. For the responder this rule is also added.

 ## Appendix Patterns with "ss" and "noss"

 ### One way patterns for "noss"

 Knoss:
  -> s
  <- s
  ...
  -> e, es

 Xnoss:
  <- s
  ...
  -> e, es, s

 ### Two way patterns for "noss"

 KKnoss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se

 IKnoss:
  <- s
  ...
  -> e, es, s
  <- e, ee, se

 ### Standard paterns for "ss"

 KKss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se, ss

 KXss:
  -> s
  ...
  -> e
  <- e, ee, se, s, es, ss

 XKss:
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se, ss

 IKss:
  <- s
  ...
  -> e, es, s
  <- e, ee, se, ss

 XXss:
  -> e
  <- e, ee, s, es
  -> s, se, ss

 IXss:
  -> e, s
  <- e, ee, se, s, es, ss

 ### Deferred patterns for "ss"

 K1Kss:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee
  -> se, ss

 KK1ss:
  -> s
  <- s
  ...
  -> e
  <- e, ee, se, es, ss

 K1K1ss:
  -> s
  <- s
  ...
  -> e
  <- e, ee, es
  -> se, ss

 K1Xss:
  -> s
  ...
  -> e
  <- e, ee, s, es
  -> se, ss

 KX1ss:
  -> s
  ...
  -> e
  <- e, ee, se, s
  -> es, ss

 K1X1ss:
  -> s
  ...
  -> e
  <- e, ee, s
  -> se, es, ss

 X1Kss:
  <- s
  ...
  -> e, es
  <- e, ee
  -> s
  <- se, ss

 XK1ss:
  <- s
  ...
  -> e
  <- e, ee, es
  -> s, se, ss

 X1K1ss:
  <- s
  ...
  -> e
  <- e, ee, es
  -> s
  <- se, ss

 I1Kss:
  <- s
  ...
  -> e, es, s
  <- e, ee
  -> se, ss

 IK1ss:
  <- s
  ...
  -> e, s
  <- e, ee, se, es, ss

 I1K1ss:
  <- s
  ...
  -> e, s
  <- e, ee, es
  -> se, ss

 X1Xss:
  -> e
  <- e, ee, s, es
  -> s
  <- se, ss

 XX1ss:
  -> e
  <- e, ee, s
  -> es, s, se, ss

 X1X1ss:
  -> e
  <- e, ee, s
  -> es, s
  <- se, ss

 I1Xss:
  -> e, s
  <- e, ee, s, es
  -> se, ss

 IX1ss:
  -> e, s
  <- e, ee, se, s
  -> es, ss

 I1X1ss:
  -> e, s
  <- e, ee, s
  -> se, es, ss
	## Modifiers for ss tokens

	The K, X, KK and IK patterns have an "ss" token in the first line. These are there on the basis that this adds some
	authentication for the initiator, but it is not at that point capable of using the standard "se", as it does not have
	the responders ephemeral key yet. In some cases this may not be needed, for example if the initiator is not sending
	a premessage at this point in the handshake, especially for the two way handshakes. For this reason there is a "noss"
	modifier that omits the "ss" token from these handshakes. This improves performance slightly by omitting one DH
	operation.

	Conversely there are use cases where adding an "ss" token is useful, as it can strengthen the authentication for a
	handshake, requiring that at least one of the long term keys is compromised in order for the attacker to compute the
	"ss" DH. For this use case there is an "ss" pattern modifier, which adds the "ss" token after the "es" and "se"
	tokens.

	## Amends to Appendix for pattern derivation rules

	For the initiator, rule 5 for ss is removed in the "noss" case. For the "ss" modifier, it is changed to perform "ss"
	if "se" and "es" have been performed. For the responder this rule is also added.

	## Appendix Patterns with "ss" and "noss"

	### One way patterns for "noss"

	Knoss:
	-> s
	<- s
	...
	-> e, es

	Xnoss:
	<- s
	...
	-> e, es, s

	### Two way patterns for "noss"

	KKnoss:
	-> s
	<- s
	...
	-> e, es
	<- e, ee, se

	IKnoss:
	<- s
	...
	-> e, es, s
	<- e, ee, se

	### Standard paterns for "ss"

	KKss:
	-> s
	<- s
	...
	-> e, es
	<- e, ee, se, ss

	KXss:
	-> s
	...
	-> e
	<- e, ee, se, s, es, ss

	XKss:
	<- s
	...
	-> e, es
	<- e, ee
	-> s, se, ss

	IKss:
	<- s
	...
	-> e, es, s
	<- e, ee, se, ss

	XXss:
	-> e
	<- e, ee, s, es
	-> s, se, ss

	IXss:
	-> e, s
	<- e, ee, se, s, es, ss

	### Deferred patterns for "ss"

	K1Kss:
	-> s
	<- s
	...
	-> e, es
	<- e, ee
	-> se, ss

	KK1ss:
	-> s
	<- s
	...
	-> e
	<- e, ee, se, es, ss

	K1K1ss:
	-> s
	<- s
	...
	-> e
	<- e, ee, es
	-> se, ss

	K1Xss:
	-> s
	...
	-> e
	<- e, ee, s, es
	-> se, ss

	KX1ss:
	-> s
	...
	-> e
	<- e, ee, se, s
	-> es, ss

	K1X1ss:
	-> s
	...
	-> e
	<- e, ee, s
	-> se, es, ss

	X1Kss:
	<- s
	...
	-> e, es
	<- e, ee
	-> s
	<- se, ss

	XK1ss:
	<- s
	...
	-> e
	<- e, ee, es
	-> s, se, ss

	X1K1ss:
	<- s
	...
	-> e
	<- e, ee, es
	-> s
	<- se, ss

	I1Kss:
	<- s
	...
	-> e, es, s
	<- e, ee
	-> se, ss

	IK1ss:
	<- s
	...
	-> e, s
	<- e, ee, se, es, ss

	I1K1ss:
	<- s
	...
	-> e, s
	<- e, ee, es
	-> se, ss

	X1Xss:
	-> e
	<- e, ee, s, es
	-> s
	<- se, ss

	XX1ss:
	-> e
	<- e, ee, s
	-> es, s, se, ss

	X1X1ss:
	-> e
	<- e, ee, s
	-> es, s
	<- se, ss

	I1Xss:
	-> e, s
	<- e, ee, s, es
	-> se, ss

	IX1ss:
	-> e, s
	<- e, ee, se, s
	-> es, ss

	I1X1ss:
	-> e, s
	<- e, ee, s
	-> se, es, ss