ECIES-X25519 Updates to Standard Noise
- NS = NewSession
- NSR = NewSessionReply
- ES = ExistingSession
New Outbound Session
- patterns:
- e es s ss ->
- <- e ee se
- sends NS message(s) to Bob
- each NS gets its own unique ephemeral key
- creates reply tags for each message
- receives NSR message(s) from Bob
- uses the first received NSR to establish new inbound and outbound sessions
- searches pending sessions for Bob to find a matching reply tag
- calls MixHash(re) + MixKey(DH(e, re)) + MixKey(DH(s, re)) + Split()
- uses the inbound and outbound cipherstates chain key to generate session tags and keys
- uses the inbound cipherstate's first session key to decrypt the NSR payload
- uses the inbound cipherstate for receiving ES messages from Bob
- uses the outbound cipherstate for sending ES messages to Bob
New Inbound Session
- patterns:
- <- e es s ss
- e ee se ->
- receives NS message(s) from Alice
- the first NS establishes the pending session with Alice
- further received NS messages are processed and discarded
- creates reply tags for the first NS message
- sends NSR message(s) to Alice
- each NSR message gets a unique reply tag and ephemeral key
- calls MixHash(e) + MixKey(DH(e, re)) + MixKey(DH(e, rs)) + Split()
- uses the inbound and outbound cipherstates chain key to generate session tags and keys
- uses the outbound cipherstate's first session key to encrypt the NSR payload
- uses the inbound cipherstate for receiving ES messages from Alice
- uses the outbound cipherstate for sending ES messages to Alice
- If multiple NSR messages are sent, Bob doesn't know which Alice receives first
- Bob's first received ES message from Alice fully establishes the session
- Bob searches for a matching session tag in pending sessions for Alice
- Bob's matching session is selected, the remaining pending sessions are discarded
Reply Tag Generation
Reply tags are generated in a similar way to ES tags.
Generation is different in the following ways:
- the first tag chain key is set to the NS chain key after en/decryption
- For Alice:
replyTagChainKey = initialChainKey + MixKey(DH(e, rs)) + MixKey(DH(s, rs))
- For Bob:
replyTagChainKey = initialChainKey + MixKey(DH(s, re)) + MixKey(DH(s, rs))
The results will be inputs for DH Ratchet:
- root key = chainkey
- shared secret = k
Other than that, reply tag generation follows the same specs as ES tags.
Visualization
Below are visualizations for how the protocol works.
Only one NS and one NSR message are shown for simplicity.
In practice, Alice may generate multiple NS messages, and Bob may generate multiple NSR messages.
Only the first received NS and NSR message are used to establish a session.
From Alice's perspective:
create NS message + reply tags
send NS message ->
<- receive NSR message
Call MixHash(re) + MixKey(DH(e, re)) + MixKey(DH(s, re)) + Split()
Decrypt NSR payload with temp_k2 from Split(), with h as the AD
After successful decryption, session is fully confirmed, discard other pending sessions
send ES message(s) ->
From Bob's perspective:
<- receive NS message
Create reply tags + NSR message
Call MixHash(e) + MixKey(DH(e, re)) + MixKey(DH(e, rs)) + Split()
Encrypt NSR payload with temp_k2 from Split(), with h as the AD
send NSR message ->
<- ES message(s)
After successful decryption of an ES message, session is fully confirmed, discard other pending sessions
Edited by tini2p