Noise Protocol Framework

The Noise Protocol Framework is a framework for designing verified cryptographic protocols.^[1]^[2]

The Noise Protocol Framework serves as an open source framework for encryption protocols for end-to-end encrypted data exchange, based on the Diffie-Hellman key exchange (DH). Secure alternatives to the well-known TLS have already been created using the framework, which guarantee the integrity and authenticity of the transmitted messages by using a procedure called Authenticated Encryption with Additional Data (AEAD).

Background

The framework was developed by Trevor Perrin with support from Moxie Marlinspike based on work done at Open Whisper Systems.

About "Noise"

"Noise" refers to one of the design rationales:

Ciphertexts are required to be indistinguishable from random because:
This makes Noise protocols easier to use with random padding (for length-hiding), or for censorship-resistant "unfingerprintable" protocols, or with Steganography. However note that ephemeral keys are likely to be distinguishable from random unless a technique such as Elligator is used.

Possibly also a pun on Signal (software).

Diffie–Hellman (DH) Based Protocols (from RWC 2018 talk)

Most secure channel protocols use an Authenticated Key Exchange (AKE) based on signatures (for authentication) and Diffie-Hellman (for key exchange). In last 10-15 years, growing interest in DH-based AKEs (without signatures).

Theory: Kudla-Paterson, NAXOS, Ntor
Practice: Ntor; NaCl, CurveCP, DNSCurve, OPTLS

Elegant, but each protocol starts from scratch

Idea #1: Combine simple elements to make different protocols
Idea #2: Use “sponge-like” symmetric crypto (idea from Mike Hamburg’sStrobe)

Development

The initial commit for the specification was on Aug 4, 2014 and underwent many changes following discussion on the mailing list until rev34 on Jul 11, 2018. NB originally maintained in Wiki starting from 10-Feb-2013

The Framework

Functionality

The protocol begins, just like TLS, with the handshake phase, in which the two parties' public keys are exchanged. The keys of both parties can be volatile and/or static. As a result, a common secret key is calculated by performing a series of DH operations, with the help of which a symmetric encryption method can be used and the messages are secured with a Message Authentication Code (MAC) to protect their authenticity. With the Noise Protocol Framework, you can choose between different handshaker patterns, DH functions, hash functions and encryption functions, which give you a concrete noise protocol.

Handshake

The core of the Noise Protocol is the respective set of variables of the parties at the time of the handshake and the rules of the chosen handshake pattern according to which the individual handshake messages are processed, sent and received. Each party has the following variables:

s, e: The local, static and/or volatile key pair, which can also be empty.
rs, re: The remote party's static and/or ephemeral key pair, which can be empty.
h: A handshake hash value that hashes all handshake data sent or received.
ck: The chaining key that hashes all previous DH outputs. Once the handshake is complete, the chaining key is used to derive the encryption key.
k, n: The encryption key k, which can be empty, and a count-based nonce n are used to encrypt the static public keys and the handshake payloads using AEAD, which uses h as AD. Whenever a new ck is computed by the DH output, a new k is also computed.

A handshake message always consists of a DH public key followed by a payload that is freely selected depending on the application. The sender assembles the respective message step by step from tokens, depending on the message pattern. Possible tokens are:

"e": The sender generates a new ephemeral key pair and writes the public key as plaintext into the message buffer and hashes the public key together with the old h to derive a new h.
"s": The sender writes its static public key of s into the message buffer, encrypts it with k if k has already been generated and hashes the public key together with the old h to derive a new h.
"ee", "se", "es", "ss": A Diffie-Hellman between the key pair of the initiator and the responder is performed, the result is hashed together with the old chaining key ck to derive a new ck and a new h and finally n is set to zero.

After the last token of a handshake message has been processed, the sender writes the payload into the message buffer, encrypts the message if an encryption key k has already been generated, and hashes the output with the old h to derive a new h.

Examples

Handshake pattern of a handshake without authentication

 → e
 ← e, ee

The initiator sends the first message with his ephemeral public key.
The responder sends back its own ephemeral public key.
Finally, a DH is performed and the output is hashed to a secret key.

Handshake pattern of a handshake with authentication of the responder

 → e
 ← e, ee, s, es

In this case, the final ck and k values are a hash of both DH results. Since the tokens indicate that a DH was performed between the initiator's ephemeral key pair and the responder's static key pair, if the initiator can decrypt the payload of the second message, the responder has been successfully authenticated.

Handshake pattern of a handshake with authentication of the initiator

 → e
 ← e, ee, s, es
 → s, se

This is done in the same way as authenticating the responder.

There are still a variety of possible patterns to choose from, which are always selected depending on the area of application.

Cryptographic Algorithms

The specification supports 8 algorithms with the following names.

Diffie-Hellman Functions

25519 (Curve25519)
448 (Curve448)

Cipher Functions

ChaChaPoly (ChaCha20-Poly1305)
AESGCM (Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM))

Hash Functions

SHA256 (SHA256)
SHA512 (SHA512)
BLAKE2s (BLAKE2s)
BLAKE2b (BLAKE2b)

[The Wiki has a list of unofficial algorithms]

Implementations

Language	Name
C	Noise-C
C#	Noise.NET
CLI	noisecat
Erlang	noise
Java	Noise-Java
JavaScript/WASM	noise-c.wasm (from Noise-C)
Haskell	cacophony
Go	noise
Go	nyquist
Go	NoisePlugAndPlay
Objective-C	Noise.framework (macOS and iOS compatible framework, Swift friendly)
Python	noiseprotocol
Python	Dissononce
Racket	noise-protocol
Ruby	Noise
Rust	Snow
Rust	Noise-Rust

Concrete Protocols

I2P (ntcp2 router)
Lightning
libp2p
Facebook’s Libra / Diem (digital currency) (shutdown in 2022)
nQUIC
Slack’s Nebula
WhatsApp
WireGuard

External links

Presentations

References

^ Dowling, Benjamin; Rösler, Paul; Schwenk, Jörg (2020), "Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework", Lecture Notes in Computer Science, Cham: Springer International Publishing, pp. 341–373, doi:10.1007/978-3-030-45374-9_12, hdl:20.500.11850/399156, ISBN 978-3-030-45373-2, retrieved 2024-05-17
^ Kobeissi, Nadim; Nicolas, Georgio; Bhargavan, Karthikeyan (June 2019). "Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols". 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE. pp. 356–370. doi:10.1109/eurosp.2019.00034. ISBN 978-1-7281-1148-3.

[1] Dowling, Benjamin; Rösler, Paul; Schwenk, Jörg (2020), "Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework", Lecture Notes in Computer Science, Cham: Springer International Publishing, pp. 341–373, doi:10.1007/978-3-030-45374-9_12, hdl:20.500.11850/399156, ISBN 978-3-030-45373-2, retrieved 2024-05-17

[2] Kobeissi, Nadim; Nicolas, Georgio; Bhargavan, Karthikeyan (June 2019). "Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols". 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE. pp. 356–370. doi:10.1109/eurosp.2019.00034. ISBN 978-1-7281-1148-3.

[1]

[2]