interpretation of DH tokens in Bob-initiated patterns

[rmculpepper]

I got confused multiple times about initiator vs responder and Alice vs Bob. I have some thoughts about that, but first I have a question.

What does es mean? There are two possibilities:

• Section 5.3 (in {Write,Read}Message) says it means DH(initiator's ephemeral key, responders's static key).
• Section 7 says it means DH(left side's ephemeral key, right side's static key).

These two interpretations are the same when the pattern is written in canonical form, but different when the pattern is written in right-initiated (ie, Bob-initiated) form. (Likewise for se, of course.)

If the first interpretation (initiator/responder) is intended, then there are bugs in Section 7 and later, including the examples and the rule for flipping patterns.

If the second interpretation (left/right) is intended, then Section 5 should have a warning that it only applies to patterns in canonical form, and Section 7 should explicitly amend the interpretation to DH(left's ephemeral, right's static). Section 7 currently says "All processing rules and discussions so far have assumed canonical-form handshake patterns" --- that sentence is not sufficient; it is too vague.

This issue affects other specs too. For example, the current Signatures for Noise draft says "The sig modifier can only be used with patterns where se is not sent by the responder...". Should "responder" be "Bob"? Do the rewrite rules make sense for Bob-initiated patterns? It might be better to declare that Bob-initiated "patterns" are not real patterns, but only used for illustration and intermediate forms, and emphasize that all processing is done in terms of the real (ie, canonical) patterns.

[trevp]

Hi Ryan, would you be willing to post this on the mailing list, it's a good question and there's a bigger audience there: http://noiseprotocol.org/