Cryptology ePrint Archive: Report 2019/436

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Benjamin Dowling and Paul Rösler and Jörg Schwenk

Abstract: The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap.

Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the pre-accept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). Using the example of Noise, we show that this separation originates from the historic background of the TLS 1.2 proof, rather than it depicting the natural core of a channel establishment protocol. Similarly to TLS 1.3, Noise allows the transmission of encrypted messages as soon as a key is established (for instance, before any authentication between parties has taken place).

By proposing a generalization of the original ACCE model, we catch security properties of these earlier messages precisely. As our generalized model is aimed to capture security of multiple different channel establishment protocols, we then add flexibility to the security definition, comparable to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We furthermore provide a broad discussion on the relations among and dimensions of the considered security properties as this plays a crucial role when defining security flexibly. Based on this, we observe that each message sent during the channel establishment can add new security properties, while inheriting those established in previous stages.

We give full security proofs for eight of the 15 basic Noise patterns to illustrate the flexibility and validity of this approach.

Category / Keywords: cryptographic protocols / channel establishment, ACCE, mutli-stage, Noise framework

Date: received 29 Apr 2019, last revised 30 Apr 2019

Contact author: paul roesler at rub de, benjamin dowling@rhul ac uk

Available format(s): PDF | BibTeX Citation

Version: 20190503:121535 (All versions of this report)

Short URL: ia.cr/2019/436


[ Cryptology ePrint archive ]