<i>preroll music</i>

Herald: So, the next talk would be from
Trevor Perrin. He has been called -- wait

for it -- "Living Evangelist in
cryptographic protocol modernization"; he

helped out design some of the protocols
that your phone right now is executing and

sending to that AP over there. Like
signal, which gave him the award of the

Levchin Prize and the Noise Protocol
Framework, which is used by WhatsApp for

client-to-server communication and
WireGuard, the VPN from Jason Donenfeld,

which I don't see around here... Anyways,
the talk will focus on the Noise Protocol

Framework. What is the rationale behind it
and how to use it. Please hand of

applause.
<i>applause</i>

Trevor: All right, thank you everyone for
being here. My name is Trevor Perrin; I do

cryptography, consulting and secure
protocol design. I'm going to be talking

to you this evening about a project I've
been working on for the last few years in

the field of protocol design, which is the
Noise Protocol Framework. Noise is a

framework that helps you in creating
cryptographic secure channel protocols.

The sort of protocols it addresses is
things like TLS or SSH or IPSec, where you

have 2 parties -- they're online at the
same time, for example an internet client

talking to an internet server -- they're
going to want to exchange a few messages

to authenticate each other and then
establish some some shared secret keys,

which they can use for further
communication. Secure channel protocols

like this are the the workhorses of
practical cryptography; most the time when

crypto is used, it's within the context of
some sort of secure channel protocol.

There's other sorts of protocols, like
secure messaging and cryptocurrency and

all sorts of other things, but Noise is
specifically focused on secure channels,

so that's what I'm going to be talking
about in this talk. And probably a lot of

people, just kind of off the bat, have a
reaction to that of being like "Well, why?

We we have secure channel protocols
already: We have TLS; we have SSH; we have

IPSec; and these things have been a huge
amount of effort to design over the last

20+ years. We've been bolting features
onto them and picking bugs out of them.

Why would we want to start down that road
again and build different and newer

protocols?" And I think, that's a very
legitimate question and source of

skepticism. And my feelings about this is
as follows: It's that, what a secure

channel protocol does is really a very
simple thing; it just sends a couple

messages -- 2 or 3, maybe 4 -- sets up a
secure channel. So, these protocols really

should be pretty simple; they should be
simple to implement; they should be simple

to design; and I think, a lot of the ones
that we find ourselves with -- the

mainstream ones -- for what they do, for
what they actually accomplish, I think,

they're probably often too complex, too
complicated and too difficult to extend.

And I think, we need to extend them; we're
going to need to keep adding features and

extending them into new areas and with new
types of cryptography. So, it's important

to have good frameworks and good ways of
doing this. I think, this is an area where

we need a lot of room for improvement. And
so, Noise is a somewhat, I guess,

ambitious effort in that direction. It's
ambitious in the sense that I love to get

it to a point where people could use Noise
for building all sorts of new and future

protocols. I'll be the first to admit that
it's a work in progress; it hasn't

achieved all of its ambitions yet; its
achieved some of them. But we're still

working to extend it and if, by the end of
this talk, I have then convinced people in

the next 20 minutes to try to use Noise
for all your new protocol design...

Challenges, that's going to be okay. What
I mainly want to get across is, just

something about how these protocols work,
the components that go into them, the

design space they're a part of, because I
think, these protocols are so essential to

computer security, it's helpful for
everyone to understand, how they work and

what they do, and not just think of them
as kind of black magic that only a few

wizards can ever touch. So, to understand
these sorts of protocols, secure channel

protocols, I'm going to want to start by
giving just some background on the type of

cryptography that's involved in them: And
the main cryptographic construct in any

secure channel protocol is going to be
what cryptographers call an "Authenticated

Key Exchange" or "AKE protocol" . And an
AKE is just a sequence of messages that go

back and forth between 2 parties, between
Alice and Bob, so they can authenticate

each other and then, at the end of that,
have a shared secret key that they know

they share with their authenticated party.
These protocols, these AKE protocols, can

have different properties: All the ones
we're going to look at have forward

secrecy; they might have mutual
authentication of both parties; they might

have one-way authentication; how they
handled identity information might be

different in different AKEs, so maybe in
some AKEs, both parties start off knowing

each other's identity and public key and
some AKEs will have to transmit this

information. In other AKEs, they might
want to transmit this information, but do

it only after the other party has
negotiated some encryption, so that their

identity information is encrypted, is
protected on the wire. So, there are

different properties of how these things
work; there are different types of crypto

we can use to design AKEs that have these
properties. And I want to expand on this a

little bit, because most AKEs that people
have experience with, the mainstream ones,

all do their AKE in kind of the same way:
They do a AKE using signatures for

authenticaton and Diffie-Hellman for a key
agreement. But in the last... that's a 10

or so... 10+ years, there has been a
growing interest in doing AKEs that are

just purely based on Diffie-Hellman key
agreement without signatures, and there

has been a bunch of papers that analyze
security models and do proofs for this

sort of AKE. People have put this into
practice in things like Tor and Tor key

agreement by Ian Goldberg and a number of
designs by Daniel Bernstein and others,

like SALT cryptoboxes, CurveCP, etc. So,
there has been a kind of interest in doing

this and Noise is particularly trying to
take this idea and run with it. So, I want

to explain a little bit more about how
these sorts of Diffie-Hellman-centric AKEs

work. And so, we'll start by looking at
just the key exchange part of an AKE and

this is part is going to be sort of
generic to all the protocols, all the AKE

protocols, we talked about, which is just
going to be an unauthenticated dDffie-

Hellman key exchange. The way you think
about Diffie-Hellman is that there's Alice

and Bob: They each have a key pair, a
private key and a public key; they're each

going to exchange their public key with
the others; then they're going to take

their public key, they're going to take
their private key; they're going to

combine these two and get a shared secret,
which is the same for both parties. So,

that's just a basic Diffie-Hellman to
add... to key agreement, to turn it into

an authenticated key exchange, you
exchange, we're going to add

authentication. And so, we can do that by
adding signatures in a very conventional

way: Let's say both parties know each
other's public keys, so Bob just has to

send an encrypted signature to Alice;
Alice responds with an encrypted

signature; now we have an AKE. And this
design is called Sigma, it's essentially

Sigma, and it's essentially how something
like TLS 1.3 works, where you first get a

secret key, then send signatures as
authenticators under the encryption. And

there's nothing wrong with this design,
it's a good design. We can look at that

schematically by imagining that what's
happening if we don't consider the message

sequences: Alice and Bob are each signing
the key agreement, so that once they get a

shared key, they know that the other party
agrees with this shared key by verifying

the signature. If we want to do an AKE
that's entirely signature-based, we're

going to have to replace these signatures
with some sort of Diffie-Hellman, while

still getting that same confidence and
that same guarantee, that the other party

agrees on the ultimate, final, shared
secret key we get out of this AKE. So, the

way we can do that is, we can say "Well,
these these long-lived key pairs that

people have, we'll call them static key
pairs; they're going to be Diffie-Hellman

key pairs instead of signature key pairs;
and each party is going, to in addition to

doing an ephemeral, do ephemeral DH for
forward secrecy, do an ephemeral DH to the

other party's static key for
authentication, and then hash all these

DHs together to get a final key. And the
reason why this convinces each party that

the other party has agreed to the final
key is, because this final key is a hash

that includes the DH of the authentication
DH of their ephemeral key, the other

party's static private key -- the only
other party who knows the output of that

DH is the other party -- thus, if we do
anything with the final shared secret key,

like receive any encrypted message from
it, we know that key can only have been

calculated by the correct counterparty.
So, we're accomplishing authentication by

using DH instead of signatures here and so
this is a... it's a well understood thing,

but I wanted to kind of just touch on that
before we talk about... where I dive into

the history of Noise. And the history of
Noise is that a few years ago, I was

reading a lot of these papers that talked,
Diffie-Hellman-based key exchange, and

looking at a number of these designs where
people were doing Diffie-Hellman-based key

exchange and I thought, these were cool
designs. I thought, they were elegant; I

thought they were efficient. But every
time someone did a new Diffie-Hellman-

based thing, like nTor or salt or CurveCP
or OPTLS, they would sort of start from

scratch and they'd say "Okay, how are we
going to do key derivation? How are we

going to do transcript hashing? How are we
going to do key confirmation?" If they

were doing security analysis, they'd
create their own security model; they'd

write their own Gap DH ROM-based
security proof that's pretty much the same

as everyone else's security proof, but
it's still a lot of work. So, there was a

lot of reused or sort of repeated work
being done to build this style of protocol

and so, the the motivating idea for Noise
was, whether we could capture that work

into a framework that just provided you
some common elements so people could

easily combine those elements together and
create a wide range of different protocols

in this style. And so, I started working
on ways of kind of connecting protocol

pieces together. Eventually, I talked to
Mike Hamburg who's working on something

else -- this Strobe Protocol Framework
that was kind of based on sponge-based

cryptography -- and we kind of took some
ideas from that. With with all those ideas

we were able to come up with I think a
pretty good system for describing a wide

range of protocols just by taking a
Diffie-Hellman operation and some simple

other cryptography and combining them in a
bunch of different ways. That core design

of noise is what we arrived at by 2015 and
it's been stable since then. We know noise

is still a work in progress because we're
trying to extend it and add new forms of

cryptography and build more things around
this core but we do have a pretty good

core at this point. We've built a small
community around it with a mailing list,

website, specifications, test suites, open
source libraries in a bunch of common

languages and we also have a couple users:
Noise Based Protocol is used by WhatsApp

for client-to-server communication from
the app to the server and WireGuard which

is a next generation VPN tunnel project by
Jason Donenfeld, it also uses a a noise

based secure channel protocol. We're also
getting interest from some some other

directions, from people doing like
Internet of Things, embedded systems,

anonymity network type systems, the
Lightning Network proposal for Bitcoin

which will incorporate a Noise Based
Protocol. So I think we're getting

interest from people who potentially want
a customized secure channel protocol for a

new area they're working in but don't want
to drag in a lot of extraneous complexity.

They want something simple and efficient
that addresses their use case. That's what

I think is the sweet spot for Noise so
far. For the rest of this talk, what I

want to do is talk about what the
components of a secure channel protocol

are, why I think it's a good idea to have
a framework that addresses the design of

these things, and then fill in the details
on what the Noise framework actually is.

Secure channel protocols all have kind of
the same structure: they start with a

handshake phase where parties send a few
messages back and forth to get a shared

secret key, then they use this shared
secret key for the transport phase of just

doing bulk encryption. The transport phase
is a simple thing, it's pretty easy to

just use shared keys to encrypt data back
and forth, so I'm not going to say a lot

more about it. The handshake phase is
where all the excitement and the

interesting things are. Of course, the
main component of a secure protocol, a

secure channel, is the handshake. It's
going to be just an authenticated key

exchange, an AKE of some sort, but a lot
of secure channel protocols will also have

some sort of negotiation that happens
logically before the rest of this that

determines the type of AKE, and the
parameters of the AKE, and the parameters

of the encryption such as which cipher to
use. You can think of this negotiation

happening logically before everything else
because it determines everything else, but

in practice, for efficiency, the
negotiation of the AKE are usually

overlaid or woven together a little bit.
So I might send an initial message from

the client that says "I'm speculatively
executing this AKE protocol but I'm

willing to execute these other protocols
and I'm willing to use these ciphers for

the transport phase", and then the server
can respond by saying "I want you to do a

different AKE, I want you to use these
ciphers at the end of it". So you have

these negotiation in AKE happening kind of
simultaneously, which is one of the

reasons these protocols are a little
complicated to think about. But anyways,

if we were building a single secure
channel protocol, we would be trying to

fill in these elements. We would be
saying, okay, what AKE do we want to use,

how do we want to instantiate the
cryptography within them, and then how do

we want to design a negotiation structure
that can select one of these different

things, and how do we assemble all that
together. We're not trying to build a a

single AKE protocol, we're trying to build
a framework for building AKE protocols, so

we're doing something a little bit more
confusing and the reason is pretty simple.

If you're trying to build a single
protocol, you have a hard decision, and a

difficult trade-off to manage between
adding features into this protocol and

keeping it simple. Because the more
features you add, the more negotiations

you have, the more different branches your
protocol can take, the more complexity

every implementer has to deal with, the
more attack service you have, because if

there's any bug in any of these features
that an attacker can navigate to, that's

potentially a problem. We want to work on
things that have a lot of features that

address a lot of cases, but we also want
to keep things simple. So if we think of

ourselves as creating not just a single
protocol, but a framework of protocols, we

can kind of manage that tension a little
bit better by imagining that we have all

these features and all these capabilities
off to the side, and a library or a tool

somewhere. And when we build a concrete
protocol, we're just going to select a

bunch of features and hopefully have some
simple combination rules for putting them

together and to get a very customized
protocol that does exactly what we want

and not anything that we we don't want.
That means that working with Noise is

different from working with something like
TLS because with most cryptographic

protocols, you probably can just take a
TLS library, point it at another TLS

library, and they'll figure out how to
connect. They'll do negotiations, fall

backs, retries, ... and they'll find the
intersection of cipher suites and

versions, etc. that they support, and will
connect to each other. That's a feat of

engineering, but there's a lot of
complexity that lies behind that, and

there's a lot of opacity in understanding
what you're really getting. To use Noise,

on the other hand, you have to think in
advance about what you want to use, what

AKEs you want to use, what cryptography
you're gonna get... You're going to choose

all these things. You're going to have to
understand why you want the sequence of

messages, you're going to put them
together, and you're going to end up with

something that very much addresses your
use case, hopefully, but is not going to

have a lot of extraneous complexity. So
that's a different way of working with

protocols and thinking about protocols,
but I think it's the right answer for a

lot of cases. At least that's our goal. We
want to build as a framework where we can

choose a bunch of things, combine them
together, and then end up with a wide

range of different protocols. But to get
there is a little bit complicated. To get

there, we're gonna have to take our
structure of a secure channel protocol and

break it up into some different elements
so that we can mix and match these

elements and get different protocols.
We're gonna break it up in a couple

different ways. The first way we're going
to do that is we're gonna separate out all

the points in the protocol where runtime
decisions are made from all the points of

the protocol, we can think of, it's just
straight line, linear code. And the reason

why is because, if we have straight line,
just linear cryptographic code that just

does one thing after another and sends one
message after another, and does nothing

else, except maybe erroring if it detects,
say, it detects cryptographic

authentication failure. We have code like
that. It's very easy to test, it's easy to

think about, it's easy to design things
around because it just does one thing in a

sequence. And so that's… Noise is very
much going to be about forcing people to

use straight line code with no branches as
much as possible. Our idea of being a

framework hopefully helps with that
because we've moved a lot of decisions

that might have been runtime decisions,
negotiation decision in a full protocol,

we're moving them to, hopefully, design
time decisions within a framework. But we

might still have some negotiation
decisions remaining about, like, which

cipher to use or, you know like, if we try
to do a zero round-trip encryption, we

might have to fall back to something else.
So there might be some decisions that

remain. We're going to try to compress all
those decisions into kind of one, and say

there's only one point in this framework
where runtime decisions get made, which is

selecting what we're going to call a Noise
protocol. And the Noise… And this notion

of the Noise protocol is going to
encapsulate everything else that happens.

It's just a linear sequence of code, it's
going to be the AKE plus whatever

transport encryption happens after that.
So with this framework we've hopefully…

You know, we hate decision-making at
runtime but we're going to compress it

down to one if we have to and then call
everything else just a straight line

sequence of code. The next thing we're
going to do to make this framework sort of

manageable and break it down, is zoom in
on this notion of the Noise protocol and

break that into pieces too. And so we're
going to view that as a combination of,

what we call a handshake pattern, with
some actual crypto algorithms. And a

handshake pattern is going to be like an
abstract notion of an AKE, so it's going

to be an AKE protocol that just says: do
some sort of Diffie-Hellman, encrypt this

in some way, hash this in some way, but
it's not going to tell you what crypto to

use. You're going to plug in crypto, and
it's that combination of things is gonna

give you a concrete Noise protocol, which
is in kind of an implementable unit of

this framework. So, the whole framework
then kind of ends up being like this: the

sort of core central piece is this notion
of the Noise protocol which is, what we've

probably spent most of our engineering
effort on, where we combine some abstract

notion of an AKE, a handshake pattern,
with some crypto to get a Noise protocol.

We're going to imagine a negotiation layer
that can really just make one decision

which is: does the server want to switch
from the initial noise protocol to a

different one. So we're only going to
allow one transition, just to make things

really simple. And then the only other
layer we're going to add, is this notion

of an encoding layer which is that, we
might want to send our messages over TCP,

in which case we'd have to add length
fields. Or we might send them over HTTP,

in which case we'll have to encode them as
HTTP requests. So we have this kind of

abstract notion of our protocol, but we
might need to add a little bit more

encoding to actually fit it into a
particular context. And that's, you know,

that's gonna be kind of just the whole way
we build secure channel protocols. So, the

main thing that you're going to interact
with, is, or the kind of central piece of

this is the Noise protocol and the main
way that you're going to interact with

Noise protocols and design them as a user,
is by just giving them names. And so we

have this notion of, you can precisely
name a Noise protocol and then that just,

kind of like, defines the entire protocol.
So here we have a Noise protocol that's,

you know, this is a concrete implementable
thing: it uses the NX pattern which, I

haven't explained what that means, but it
also combines that pattern that AKE notion

with Curve25519 for Diffie-Hellman, with
AES-GCM for encryption, with SHA-256 for

hashing, we can plug in or out different
options of any one of these things. So we

could have different patterns, different
ciphers, etc. to get a Noise protocol and

then the specification, and most of our
Noise libraries can take this name and

will just automatically know what to do.
They'll synthesize a whole protocol around

this, just with some some pretty simple
rules. And, so the pattern notion and the

way we're naming patterns… There is a
naming convention here but I think more

important than understanding the naming
convention, is understanding this simple

language that it's built on top of. And,
so we're gonna have a sort of simple

language for describing a range of sort of
abstract AKE patterns based on, based on

this set of concepts, based on just saying
we have Alice and Bob, they each might

have a static key and they might have an
ephemeral key, and the only things we're

gonna allow them to do, as part of their
AKE protocol, is send their public keys

back and forth and do Diffie-Hellman
operations and the only Diffie-Hellman

operations they can do are, you know,
these four involving some combination of

their keys which you can just read from
left to right, so they can do this static-

static Diffie-Hellman, they can do the
Alice's static to Bob's ephemeral which

sort of authenticates Alice, you can do
Alice's ephemeral to Bob's static which

authenticates Bob, or they can do this EE
Diffie-Hellman for forward secrecy. So

we're going to allow them just to combine
these units in different ways and get a

wide range of different AKEs out of this.
So let's start demonstrate... I'm going to

demonstrate a bunch of patterns and kind
of go through them quickly, and let's

start with something that's very simple,
which is just a public key encryption. So

this AKE pattern doesn't even describe an
interactive protocol, it's just Alice

encrypting a message to Bob. And so, our
little language here, we're going to add

three dots to indicate when Alice has
prior knowledge of something before the

protocol starts. So this is a protocol
where Alice knows Bob's public key at the

outset. She's going to send one message
which is an ephemeral public key she

chooses. She's going to do an ES,
Ephemeral Static Diffie-Hellman, to

authenticate Bob and that's going to give
her public key encryption because then

she's going to have keys that she can use
for sort of the transport phase encryption

of the message she's sending to Bob. So
that's just--you could think of this as in

like an ECIES or an ephemeral static
public key encryption. We could make this

more complicated by saying both parties
know their public keys and we want Alice

to authenticate to Bob, and now we just
throw in the static-static encryption and

now we have Alice authenticating herself
to Bob. We could make another step in

complexity and say we want Alice to
authenticate herself to Bob and also send

her public key to Bob, and she might also
have to send certificates and things like

that to convince Bob her public key is to
be trusted. That can go in the transport

payload, but the point is now we've taken
Alice's public key and say instead of it

being prior knowledge of Bob's, it's
transported in the message itself, and

we're going to have this additional rule
which is that any time we send the static

public key we're gonna encrypt it with all
the other keys that have come before. So

in this case Alice's static public key is
encrypted with the output of the ephemeral

static DH, which provides some identity
hiding, so someone looking at the wire

doesn't know who Alice's is, even though
Bob knows. We can move on to interactive

protocols and look at unauthenticated
Diffie-Hellman, just looks like this: an

exchange of the ephemeral public keys and
a Diffie-Hellman. You could add server

authentication to that, where the server
just sends its static public key and does

a Diffie-Hellman. You could imagine that
the server's public key is known in

advance by the client and in this case
we're not transporting it from the server,

but if we're in this case we can use
something even better, which is kind of a

nice property of the style of protocol. We
can move that ephemeral static DH from the

second message to the first and say Alice
can actually do zero round-trip encryption

to Bob or to the server's public key. So
she does--the first message there is

essentially what I earlier called the
public key encryption. She's just

encrypting straight away to Bob in her
first message, and that's something we can

do with a Diffie-Hellman-based AKE that
you can't do with say a signature-based

AKE, because if Bob's static key is the
signing key you would not be able to

encrypt to it. So, you know, that's kind
of an example of some nice features we get

from this style of AKE. We could continue
making things more complicated. So we

could add not just zero round-trip
encryption, zero round-trip

authentication, in this first flow by
having Alice send her identity and doing

an additional Diffie-Hellman. And if we're
doing that we should probably also refresh

the authentication in the second message
with this ES so that Bob's authentication

of Alice is based on a fresh ephemeral
instead of a long-term static key which

could potentially be compromised. And if
we do all this, we get actually--this is

very close to WireGuard's pattern.
WireGuard adds an additional feature that

is a pre-shared symmetric key, and that's
something that, you know, we designed

working with the WireGuard designer Jason
Donenfeld that just allows you to add an

extra key that gets mixed into everything.
The idea being that in a VPN context the

two parties want to share a secret key,
then your security will depend on either

that or all these Diffie-Hellmans, and so
even if someone is able to break Diffie-

Hellman through cryptanalysis or a quantum
computer, if you've shared a secret key

through some other means they would not be
able to go back and break your traffic. So

that's kind of just an example of how we
can take this language that is a fairly

simple language, extend it with new
features, and we're interested in

continuing that process and adding new
features onto this. So, you know things

that are there in the mix is trying to
figure out how to add you know post

quantum resistant algorithms to provide
hybrid forward secrecy onto these

protocols, even going back and adding the
notions of signatures into this. Because

just like all this machinery we have is
good for Diffie-Hellman based protocols,

probably we can take all these notions of
patterns and of Noise protocols and how

our approach to negotiation and
apply them even to more conventional AKEs

into other things as well. So that's sort
of our framework, you know it ends up

looking kind of like this, with some, you
know, a very simple negotiation layer

switching to this very linear notion of a
fixed Noise protocol that you can assemble

together by taking an abstract notion of
patterns and combining it with

cryptography of your choice. You know
we're still working on a lot of extensions

for this, I'd love to get more people who
wanted to experiment with it or use it for

anything. You can find more on our website
which has links to our mailing list as

well. I'm happy to talk about it with
anyone. There's gonna be a WireGuard meet

up tomorrow at 3 o'clock and I'll probably
be milling around there as well, but if

you want to talk to Jason and other
WireGuard people and see how all this

works in a concrete context, that would be
you know a good way to learn more about

it. Thank you for listening, and do I have
time for questions? Maybe a brief amount

of time.
<i>applause</i>

Herald-Angel: Microphone one.
Question: So in the context of like multi-

party systems, if you have like a person
that has either multiple devices or

multiple keys, is there anything that you
could use inside Noise to work with that

so that you have like messages being sent
to both identities, or would you recommend

some doing something like that over like a
central registry and then linking the keys

and having it sent to one and the devices
sharing with each other?

Answer: Yeah that's a good question, I
mean I think that really gets into the

scope of what like secure messaging
protocols try to address, is when you have

notions of groups and want to be
consistent with the group and you want to

talk to everyone in the group and maybe
everyone in the group isn't online at the

same time, and I would say that's a
different and more complex class of

protocols that we're kind of just not
trying to handle here. I think with Noise

hopefully we're looking at something
that's a very simple and well understood

design space so we can build a lot of
machinery around it, because it's so

simple, and these other cases you're
talking about I think just add a lot of

complexity about how you would want to do
all those things. So we've kind of just

chosen a narrow scope to make this
specific problem a lot easier, I would

say.
Q: Okay, thanks!

Q: Does Noise include any of the
ratcheting or sort of key evolution over

time properties that we've seen in
protocols like this in the past?

A: No, so Noise has a pretty simple model
of just you have like a handshake phase

and a transport phase and the transport
phase just uses a key. Now we have added a

notion of being able to like update this
key by just replacing it with, like, you

know, some of its own output, essentially.
So we can kind of roll it forward in a

very simple way and we have an efficient
way of doing that, so you could do things

like have every one of your messages
update the key to the next key, and then

you have within the protocol forward
secrecy. We don't try to do like more

complicated things with Diffie-Hellman
ratchets or anything like that,

Q: When would be--what's the simple sales
pitch for why to use Noise over TLS?

A: You know, probably the simplest sales
pitch would be like, if you really really

want your protocol to just do like one
thing and you don't want to drag around a

lot of code that does like a lot of
things, you know like Noise will let you

produce a very fine-tuned protocol that's
a very small amount of code that just does

like one thing pretty easily.

Herald: That's it, thanks a lot

Perrin: Thank you.
<i>applause</i>

<i>postroll music</i>

subtitles created by c3subtitles.de
in the year 2018. Join, and help us!