Noise Protocol Framework

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article's lead section may be too long. Please read the length guidelines and help move details into the article's body. (December 2024) This article may require copy editing for grammar, style, cohesion, tone, or spelling. You can assist by editing it. (December 2024) (Learn how and when to remove this message) This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. See Wikipedia's guide to writing better articles for suggestions. (December 2024) (Learn how and when to remove this message) This article contains instructions, advice, or how-to content. Please help rewrite the content so that it is more encyclopedic or move it to Wikiversity, Wikibooks, or Wikivoyage. (December 2024) (Learn how and when to remove this message)

The Noise Protocol Framework, sometimes referred to as "Noise" or "Noise Framework", is a public domain cryptographic framework^[1] for creating secure communication protocols based on Diffie–Hellman key exchange.^[2] Developed by Trevor Perrin, the framework defines a series of handshake patterns—predefined sequences of message exchanges—that outline how parties initiate communication, exchange keys, and establish shared secrets. These patterns can be combined and customized to meet specific security requirements, such as mutual authentication, forward secrecy, and identity protection.

Several popular software applications and protocols, including the messaging platforms WhatsApp and Slack^[3] and the VPN protocol WireGuard, have used implementations of the Noise Framework to ensure end-to-end encryption for user communications. The framework remains a topic of development, including post-quantum adaptations.^[4] The framework is currently at revision 34, published in July 2018.^[1]

Most secure channel protocols rely on authenticated key exchange (AKE) using digital signatures (for authentication) and Diffie–Hellman (for key exchange). In the 2000s–2010s, interest grew in developing pure Diffie–Hellman-based AKEs, without signatures,^[5] leading to both theoretical (e.g., Kudla-Paterson,^[6] NAXOS,^[7] Ntor)^[8] and practical advancements (e.g., Ntor,^[8] NaCl, CurveCP, DNSCurve, OPTLS).^[9] These were often developed from scratch. The Noise Protocol Framework was developed by Trevor Perrin, with support from Moxie Marlinspike, introducing two key innovations:^[5]

1. Combining simple elements to construct various protocols.
2. Using “sponge-like” symmetric cryptography, inspired by cryptographer Mike Hamburg's^[10] Strobe protocol framework.^[11]

The Framework evolved based on work initially conducted at Open Whisper Systems, the software organization from which the Signal Protocol and Signal messaging app originated. While unrelated to the signal processing concept of noise, the choice of “Noise” as the name for this cryptographic protocol might be a play on the signal vs. noise concept.

Originally maintained as a wiki starting from February 10, 2013,^[12] the framework's development began with an initial commit to its specification on August 4, 2014.^[13] The framework evolved through numerous revisions following mailing list discussions until version 34 on July 11, 2018.^[14] The Noise Protocol Framework acknowledges^[15] inspiration from previous cryptographic designs (e.g., NaCl, CurveCP or the KDF chains used in the Double Ratchet Algorithm) and contributions from figures in cryptography and computing (e.g., Jason Donenfeld, Hugo Krawczyk).

During its development, the Noise Protocol Framework evolved alongside TLS 1.3, including 2015 discussions^[16] comparing the protocols, particularly the “OPTLS” proposal.^[17] Both projects spanned from 2014 to 2018, with the first draft of TLS 1.3 RFC 8446^[18] released in August 2014 and the final Proposed Standard in August 2018. The Noise Framework provided an alternative approach, enabling the selection of specific handshake patterns and cryptographic algorithms to design protocols tailored to specific security properties and performance needs.

Formal verifications^[19] of the Noise Protocol Framework have evaluated its security properties. Studies have employed automated tools to model and verify various handshake patterns within the framework,^[20][21] assessing their resilience against a range of attacks.

A secure channel protocol has two phases:

• the handshake phase: authenticates and establishes shared secret keys using Diffie-Hellman key exchange (DH) for Authenticated Key Exchange (AKE)
• the transport phase: uses shared secret keys to encrypt data

The handshake pattern can be described in a diagram as a set of messages, each annotated with a list of tokens that describe cryptographic operations performed on a party's handshake state.

The specification lists three one-way handshake patterns, and 12 fundamental interactive handshake patterns. There are variations of some of these:

• deferred patterns, where the authentication DHs are deferred to the next message. A numeral 1 is used after the first and/or second character, e.g. NK1 or X1X1
• a pre-shared symmetric key to support protocols where both parties have a 32-byte shared secret key, e.g. Npsk0 or Xpsk1
• compound protocols in which the roles of initiator and responder get reversed as a negotiation mechanism via the fallback modifier. A Noise Pipe is an example found in §10.4^[22]

A real world example comes from WireGuard whose Construction on page 10 of the Whitepaper is Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s.

Each handshake pattern can be combined with one of the 16 combination of the 8 cryptographic algorithms listed in the Specification. As those algorithms are of comparable quality and do not enlarge the design space.

The Specification outlines an API in §5^[23] using the following objects each having a small set of methods:

• A CipherState object contains k and n variables, which it uses to encrypt and decrypt ciphertexts. During the handshake phase each party has a single CipherState, but during the transport phase each party has two CipherState objects: one for sending, and one for receiving.
• A SymmetricState object contains a CipherState plus ck and h variables. It is so-named because it encapsulates all the "symmetric crypto" used by Noise. During the handshake phase each party has a single SymmetricState, which can be deleted once the handshake is finished.
• A HandshakeState object contains a SymmetricState plus DH variables (s, e, rs, re) and a variable representing the handshake pattern. During the handshake phase each party has a single HandshakeState, which can be deleted once the handshake is finished.

The implementation of a concrete protocol involves the design of message representation, as well as aspects outside the Noise Framework. An example of the latter happens with protocols using UDP transports, such as WireGuard which uses a sliding window to handle out-of-order arrival.

Security properties of several handshake patterns are described in the Specification and can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features . Formal cryptographic analyses of common handshake patterns have appeared in the academic literature.^[24][25] The second effort has resulted in the online tool Noise Explorer.^[26]

Much of the following consists of excerpts from the Specification with formatting:

• IK for protocol names consisting of handshake patterns, cryptography and modifiers
• ck for variables in the handshake state machine
• e for tokens in a message pattern
• § prefixes references to sections in the Specification

with the focus on:

• handshake patterns
• security properties and tradeoffs
• application responsibilities and security considerations

To produce a Noise Protocol name for Initialize() you concatenate the ASCII string Noise_ with four underscore-separated name sections which sequentially name the handshake pattern, the DH functions, the cipher functions, and then the hash functions. The resulting name must be 255 bytes or less.^[27] Examples:

• Noise_XX_25519_AESGCM_SHA256
• Noise_N_25519_ChaChaPoly_BLAKE2s
• Noise_IK_448_ChaChaPoly_BLAKE2b

Each name section must consist only of alphanumeric characters (i.e. characters in one of the ranges "A"..."Z", "a"..."z", and "0"..."9"), and the two special characters "+" and "/".

Additional rules apply to each name section, as specified below.

A handshake pattern name section contains a handshake pattern name plus a sequence of zero or more pattern modifiers.^[28]

The handshake pattern name must be an uppercase ASCII string containing only alphabetic characters or numerals (e.g. XX1 or IK).

Pattern modifiers specify arbitrary extensions or modifications to the behavior specified by the handshake pattern. For example, a modifier could be applied to a handshake pattern which transforms it into a different pattern according to some rule. The psk0 and fallback modifiers are examples of this, and will be defined later in this document.

A pattern modifier is named with a lowercase alphanumeric ASCII string which must begin with an alphabetic character (not a numeral). The pattern modifier is appended to the base pattern as described below:

The first modifier added onto a base pattern is simply appended. Thus the fallback modifier, when added to the XX pattern, produces XXfallback. Additional modifiers are separated with a plus sign. Thus, adding the psk0 modifier would result in the name section XXfallback+psk0, or a full protocol name such as Noise_XXfallback+psk0_25519_AESGCM_SHA256.

In some cases the sequential ordering of modifiers will specify different protocols. However, if the order of some modifiers does not matter, then they are required to be sorted alphabetically (this is an arbitrary convention to ensure interoperability).

The rules for the DH, cipher, and hash name sections are identical. Each name section must contain one or more algorithm names separated by plus signs.^[29]

Each algorithm name must consist solely of alphanumeric characters and the forward-slash character ("/"). Algorithm names are recommended to be short, and to use the "/" character only when necessary to avoid ambiguity (e.g. SHA3/256 is preferable to SHA3256).

In most cases there will be a single algorithm name in each name section (i.e. no plus signs). Multiple algorithm names are only used when called for by the pattern or a modifier.

None of the patterns or modifiers in this document require multiple algorithm names in any name section. However, this functionality might be useful in future extensions. For example, multiple algorithm names might be used in the DH section to specify "hybrid" post-quantum forward secrecy; or multiple hash algorithms might be specified for different purposes.

The Specification lists 8 modern algorithms with the following names.^[30][31]

The Wiki has this list of unofficial algorithms;^[32] I've omitted the Post-Quantum ones as the entries pre-date the NIST Post-Quantum Cryptography Standardization effort starting in 2016 with the first three Post Quantum Crypto Standards: FIPS 203, FIP 204, and FIP 205 in 2024.

Here we^[who?] document some names which could be used for nonstandard algorithms, so that experimental use of these algorithms could use consistent names (NOTE: None of these algorithms are endorsed for use with Noise, use at your own risk).

Noise Protocols have a prologue input which allows arbitrary data to be hashed into the h variable. If both parties do not provide identical prologue data, the handshake will fail due to a decryption error. This is useful when the parties engaged in negotiation prior to the handshake and want to ensure they share identical views of that negotiation.^[42]

For example, suppose Bob communicates to Alice a list of Noise Protocols that he is willing to support. Alice will then choose and execute a single protocol. To ensure that a "man-in-the-middle" did not edit Bob's list to remove options, Alice and Bob could include the list as prologue data.

Note that while the parties confirm their prologues are identical, they don't mix prologue data into encryption keys. If an input contains secret data that's intended to strengthen the encryption, a PSK handshake should be used instead (see §9).

The following handshake patterns represent "one-way" handshakes supporting a one-way stream of data from a sender to a recipient. These patterns could be used to encrypt files, database records, or other non-interactive data streams.^[43]

Following a one-way handshake the sender can send a stream of transport messages, encrypting them using the first CipherState returned by Split() The second CipherState from Split() is discarded - the recipient must not send any messages using it (as this would violate the rules in §7.3).

One-way patterns are named with a single character, which indicates the status of the sender's static key:

• N = No static key for sender
• K = Static key for initiator Known to responder
• X = Static key for sender Xmitted ("transmitted") to recipient

N:

 <- s
 ...
 -> e, es

K:

 -> s
 <- s
 ...
 -> e, es, ss

X:

 <- s
 ...
 -> e, es, s, ss

N is a conventional DH-based public-key encryption. The other patterns add sender authentication, where the sender's public key is either known to the recipient beforehand (K) or transmitted under encryption (X).

The following handshake patterns represent interactive protocols. These 12 patterns are called the "fundamental" interactive handshake patterns.^[44]

The fundamental interactive patterns are named with two characters, which indicate the status of the initiator and responder's static keys:

The first character refers to the initiator's static key:

• N = No static key for initiator
• K = Static key for initiator Known to responder
• X = Static key for initiator Xmitted ("transmitted") to responder
• I = Static key for initiator Immediately transmitted to responder, despite reduced or absent identity hiding

The second character refers to the responder's static key:

• N = No static key for responder
• K = Static key for responder Known to initiator
• X = Static key for responder Xmitted ("transmitted") to initiator

The first two columns in the table above, prior to each message pattern, lists the security properties for Noise handshake and transport payloads for all the one-way patterns in §7.4 and the fundamental patterns in §7.5. Each payload is assigned a "source" property regarding the degree of authentication of the sender provided to the recipient, and a "destination" property regarding the degree of confidentiality provided to the sender.

For the sender:

• 0. No authentication. This payload may have been sent by any party, including an active attacker.

Used by: IN#1, IN#2, IN#4, IX#1, KN#2, KN#3, KN#5, KX#2, NK#2, NK#4, NN#1, NN#2, NN#3, NX#1, NX#3, XK#2, XN#1, XN#2, XN#4, XX#1

• 1. Sender authentication vulnerable to key-compromise impersonation (KCI). The sender authentication is based on a static-static DH (ss) involving both parties' static key pairs. If the recipient's long-term private key has been compromised, this authentication can be forged. Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by: IK#2, IN#3, KK#3, KN#4, NK#3, NN#2, NN#3, NX#2, XK#3, XN#2, XN#3, XX#2

• 2. Sender authentication resistant to key-compromise impersonation (KCI). The sender authentication is based on an ephemeral-static DH (es or se) between the sender's static key pair and the recipient's ephemeral key pair. Assuming the corresponding private keys are secure, this authentication cannot be forged.

Used by: IK#2, IK#3, IK#4, IK#5, IN#3, IX#2, IX#3, IX#4, KK#3, KK#4, KK#5, KK#6, KN#4, KX#3, KX#4, KX#5, NK#2, NK#3, NX#2, XK#2, XK#3, XK#4, XK#5, XN#3, XX#2, XX#3, XX#4

For the recipient:

• 0. No confidentiality. This payload is sent in cleartext.

Used by: IN#1, IN#2, IN#4, IX#1, KN#2, KN#3, KN#5, KX#2, NK#2, NK#4, NN#1, NN#2, NN#3, NX#1, NX#3, XK#2, XN#1, XN#2, XN#4, XX#1

• 1. Encryption to an ephemeral recipient. This payload has forward secrecy, since encryption involves an ephemeral-ephemeral DH (ee). However, the sender has not authenticated the recipient, so this payload might be sent to any party, including an active attacker.

Used by: IK#2, IN#3, KK#3, KN#4, NK#3, NN#2, NN#3, NX#2, XK#3, XN#2, XN#3, XX#2

• 2. Encryption to a known recipient, forward secrecy for sender compromise only, vulnerable to replay. This payload is encrypted based only on DHs involving the recipient's static key pair. If the recipient's static private key is compromised, even at a later date, this payload can be decrypted. This message can also be replayed, since there's no ephemeral contribution from the recipient.

Used by: IK#2, IK#3, IK#4, IK#5, IN#3, IX#2, IX#3, IX#4, KK#3, KK#4, KK#5, KK#6, KN#4, KX#3, KX#4, KX#5, NK#2, NK#3, NX#2, XK#2, XK#3, XK#4, XK#5, XN#3, XX#2, XX#3, XX#4

• 3. Encryption to a known recipient, weak forward secrecy. This payload is encrypted based on an ephemeral-ephemeral DH and also an ephemeral-static DH involving the recipient's static key pair. However, the binding between the recipient's alleged ephemeral public key and the recipient's static public key hasn't been verified by the sender, so the recipient's alleged ephemeral public key may have been forged by an active attacker. In this case, the attacker could later compromise the recipient's static private key to decrypt the payload. Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by: IN#2, IX#2, KN#3, KX#3

• 4. Encryption to a known recipient, weak forward secrecy if the sender's private key has been compromised. This payload is encrypted based on an ephemeral-ephemeral DH, and also based on an ephemeral-static DH involving the recipient's static key pair. However, the binding between the recipient's alleged ephemeral public and the recipient's static public key has only been verified based on DHs involving both those public keys and the sender's static private key. Thus, if the sender's static private key was previously compromised, the recipient's alleged ephemeral public key may have been forged by an active attacker. In this case, the attacker could later compromise the intended recipient's static private key to decrypt the payload (this is a variant of a "KCI" attack enabling a "weak forward secrecy" attack). Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by: IK#3, KK#4

• 5. Encryption to a known recipient, strong forward secrecy. This payload is encrypted based on an ephemeral-ephemeral DH as well as an ephemeral-static DH with the recipient's static key pair. Assuming the ephemeral private keys are secure, and the recipient is not being actively impersonated by an attacker that has stolen its static private key, this payload cannot be decrypted.

Used by: IK#4, IK#5, IN#4, IX#3, IX#4, KK#5, KK#6, KN#5, KX#4, KX#5, NK#4, NX#3, XK#4, XK#5, XN#4, XX#3, XX#4

The following table lists the identity-hiding properties for all the one-way handshake patterns in §7.4 and the fundamental handshake patterns in §7.5. In addition, we list a few deferred handshake patterns which have different identity-hiding properties than the corresponding fundamental pattern.^[45]

Each pattern is assigned properties describing the confidentiality supplied to the initiator's static public key, and to the responder's static public key. The underlying assumptions are that ephemeral private keys are secure, and that parties abort the handshake if they receive a static public key from the other party which they don't trust.

This section only considers identity leakage through static public key fields in handshakes. Of course, the identities of Noise participants might be exposed through other means, including payload fields, traffic analysis, or metadata such as IP addresses.

The properties for the relevant public key are:

• 0. Transmitted in clear.
• 1. Encrypted with forward secrecy, but can be probed by an anonymous initiator.
• 2. Encrypted with forward secrecy, but sent to an anonymous responder.
• 3. Not transmitted, but a passive attacker can check candidates for the responder's private key and determine whether the candidate is correct. An attacker could also replay a previously recorded message to a new responder and determine whether the two responders are the "same" (i.e. are using the same static key pair) by whether the recipient accepts the message.
• 4. Encrypted to responder's static public key, without forward secrecy. If an attacker learns the responder's private key they can decrypt the initiator's public key.
• 5. Not transmitted, but a passive attacker can check candidates for the pair of (responder's private key, initiator's public key) and learn whether the candidate pair is correct.
• 6. Encrypted but with weak forward secrecy. An active attacker who pretends to be the initiator without the initiator's static private key, then later learns the initiator private key, can then decrypt the responder's public key.
• 7. Not transmitted, but an active attacker who pretends to be the initator without the initiator's static private key, then later learns a candidate for the initiator private key, can then check whether the candidate is correct.
• 8. Encrypted with forward secrecy to an authenticated party.
• 9. An active attacker who pretends to be the initiator and records a single protocol run can then check candidates for the responder's public key.

The fundamental handshake patterns in the previous section perform DH operations for authentication (es and se) as early as possible.^[46]

An additional set of handshake patterns can be described which defer these authentication DHs to the next message. To name these deferred handshake patterns, the numeral 1 is used after the first and/or second character in a fundamental pattern name to indicate that the initiator and/or responder's authentication DH is deferred to the next message.

Deferred patterns might be useful for several reasons:

• The initiator might have prior knowledge of the responder's static public key, but not wish to send any 0-RTT encrypted data.
• In some cases, deferring authentication can improve the identity-hiding properties of the handshake (see §7.8).
• Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature or KEM ciphertext, but the deferred variants make both replacements possible.

Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the Appendix §18.^[47]

^[48]

So far we've assumed Alice and Bob wish to execute a single Noise Protocol chosen by the initiator (Alice). However, there are a number of reasons why Bob might wish to switch to a different Noise Protocol after receiving Alice's first message. For example:^[49]

Alice might have chosen a Noise Protocol based on a cipher, DH function, or handshake pattern which Bob doesn't support.

Alice might have sent a "zero-RTT" encrypted initial message based on an out-of-date version of Bob's static public key or PSK.

Handling these scenarios requires a compound protocol where Bob switches from the initial Noise Protocol chosen by Alice to a new Noise Protocol. In such a compound protocol the roles of initiator and responder would be reversed - Bob would become the initiator of the new Noise Protocol, and Alice the responder.

Compound protocols introduce significant complexity as Alice needs to advertise the Noise Protocol she is beginning with and the Noise Protocol(s) she is capable of switching to, and both parties have to negotiate a secure transition.

These details are largely out of scope for this document. However, to give an example of how compound protocols can be constructed, and to provide some building blocks, the following sections define a fallback modifier and show how it can be used to create a Noise Pipe compound protocol.

Noise Pipes support the XX pattern, but also allow Alice to cache Bob's static public key and attempt an IK handshake with 0-RTT encryption.

In case Bob can't decrypt Alice's initial IK message, he will switch to the XXfallback pattern, which essentially allows the parties to complete an XX handshake as if Alice had sent an XX initial message instead of an IK initial message.

The fallback modifier converts an Alice-initiated pattern to a Bob-initiated pattern by converting Alice's initial message to a pre-message that Bob must receive through some other means (e.g. via an initial IK message from Alice). After this conversion, the rest of the handshake pattern is interpreted as a Bob-initiated handshake pattern.^[50]

For example, here is the fallback modifier applied to XX to produce XXfallback:

XX:

 -> e
 <- e, ee, s, es
 -> s, se

XXfallback:

 -> e
 ...
 <- e, ee, s, es
 -> s, se

Note that fallback can only be applied to handshake patterns in Alice-initiated form where Alice's first message is capable of being interpreted as a pre-message (i.e. it must be either e, s, or "e, s").

A typical compound protocol for zero-RTT encryption involves three different Noise Protocols:^[51]

• A full protocol is used if Alice doesn't possess stored information about Bob that would enable zero-RTT encryption, or doesn't wish to use the zero-RTT handshake.
• A zero-RTT protocol allows encryption of data in the initial message.
• A switch protocol is triggered by Bob if he can't decrypt Alice's first zero-RTT handshake message.

There must be some way for Bob to distinguish the full versus zero-RTT cases on receiving the first message. If Alice makes a zero-RTT attempt, there must be some way for her to distinguish the zero-RTT versus switch cases on receiving the response.

For example, each handshake message could be preceded by some negotiation data, such as a type byte (see §13). This data is not part of the Noise message proper, but signals which Noise Protocol is being used.

This section defines the Noise Pipe compound protocol. The following handshake patterns satisfy the full, zero-RTT, and switch roles discussed in the previous section, so can be used to provide a full handshake with a simple zero-RTT option:^[22]

XX:

 -> e
 <- e, ee, s, es
 -> s, se

IK:

 <- s                     
 ...
 -> e, es, s, ss
 <- e, ee, se

XXfallback:

 -> e
 ...
 <- e, ee, s, es
 -> s, se

The XX pattern is used for a full handshake if the parties haven't communicated before, after which Alice can cache Bob's static public key.

The IK pattern is used for a zero-RTT handshake.

The XXfallback pattern is used for a switch handshake if Bob fails to decrypt an initial IK message (perhaps due to having changed his static key).

Email from Trevor Perrin on 4-Mar-2018^[52]

I've created a draft spec for an "NLS" framework that adds a negotiation language ("NoiseLingo") on top of NoiseSocket (hence "NoiseLingoSocket"). This is based on ideas from 1.^[53]

This needs a tweaked NoiseSocket draft, with modifications from 2^[54] (renaming a couple things, and changing the prologue calculation to differentiate the "retry" case, and to add an application prologue):

• The NLS Framework^[55]
• The NoiseSocket Protocol^[56]

The NLS draft also defines some "basic profiles", which are intended as high-level protocols usable by application developers:

• NoiseLink (1-RTT handshake)
• NoiseZeroLink (0-RTT handshake)
• NoiseShortLink (for low-end embedded)
• NoiseAnonBox (public-key encryption)
• NoseAuthBox (public-key encryption + sender auth)

The idea is that NoiseLingo and NLS give you a menu of negotiation fields that are easy to choose from to create profiles. Also, these profiles will have a lot of similarity and thus potential for interop (e.g. a NoiseZeroLink client can talk to a NoiseLink server, by falling back to 1-RTT). And if you start with something simple like NoiseLink, it's easy to add new NLS fields and negotiation options as you discover new needs.

An application built on Noise must consider several issues:^[57]

• Choosing crypto functions: The 25519 DH functions are recommended for typical uses, though the 448 DH functions might offer extra security in case a cryptanalytic attack is developed against elliptic curve cryptography. The 448 DH functions should be used with a 512-bit hash like SHA512 or BLAKE2b. The 25519 DH functions may be used with a 256-bit hash like SHA256 or BLAKE2s, though a 512-bit hash might offer extra security in case a cryptanalytic attack is developed against the smaller hash functions. AESGCM is hard to implement with high speed and constant time in software.
• Extensibility: Applications are recommended to use an extensible data format for the payloads of all messages (e.g. JSON, Protocol Buffers). This ensures that fields can be added in the future which are ignored by older implementations.
• Padding Applications are recommended to use a data format for the payloads of all encrypted messages that allows padding. This allows implementations to avoid leaking information about message sizes. Using an extensible data format, per the previous bullet, may be sufficient.
• Session termination: Applications must consider that a sequence of Noise transport messages could be truncated by an attacker. Applications should include explicit length fields or termination signals inside of transport payloads to signal the end of an interactive session, or the end of a one-way stream of transport messages.
• Length fields: Applications must handle any framing or additional length fields for Noise messages, considering that a Noise message may be up to 65535 bytes in length. If an explicit length field is needed, applications are recommended to add a 16-bit big-endian length field prior to each message.
• Negotiation data: Applications might wish to support the transmission of some negotiation data prior to the handshake, and/or prior to each handshake message. Negotiation data could contain things like version information and identifiers for Noise Protocols. For example, a simple approach would be to send a single-byte type field prior to each Noise handshake message. More flexible approaches might send extensible structures such as protobufs. Negotiation data introduces significant complexity and security risks such as rollback attacks (see next section).

This section collects various security considerations:^[58]

• Authentication: A Noise Protocol with static public keys verifies that the corresponding private keys are possessed by the participant(s), but it's up to the application to determine whether the remote party's static public key is acceptable. Methods for doing so include certificates which sign the public key (and which may be passed in handshake payloads), preconfigured lists of public keys, or "pinning" / "key-continuity" approaches where parties remember public keys they encounter and check whether the same party presents the same public key in the future.
• Session termination: Preventing attackers from truncating a stream of transport
• Rollback: If parties decide on a Noise Protocol based on some previous negotiation that is not included as prologue, then a rollback attack might be possible. This is a particular risk with compound protocols, and requires careful attention if a Noise handshake is preceded by communication between the parties.
• Static key reuse: A static key pair used with Noise should be used with a single hash algorithm. The key pair should not be used outside of Noise, nor with multiple hash algorithms. It is acceptable to use the static key pair with different Noise Protocols, provided the same hash algorithm is used in all of them. (Reusing a Noise static key pair outside of Noise would require extremely careful analysis to ensure the uses don't compromise each other, and security proofs are preserved).
• PSK reuse: A PSK used with Noise should be used with a single hash algorithm. The PSK should not be used outside of Noise, nor with multiple hash algorithms.
• Ephemeral key reuse: Every party in a Noise Protocol must send a fresh ephemeral public key prior to sending any encrypted data. Ephemeral keys must never be reused. Violating these rules is likely to cause catastrophic key reuse. This is one rationale behind the patterns in §7, and the validity rules in §7.3. It's also the reason why one-way handshakes only allow transport messages from the sender, not the recipient.
• Misusing public keys as secrets: It might be tempting to use a pattern with a pre-message public key and assume that a successful handshake implies the other party's knowledge of the public key. Unfortunately, this is not the case, since setting public keys to invalid values might cause predictable DH output. For example, a Noise_NK_25519 initiator might send an invalid ephemeral public key to cause a known DH output of all zeros, despite not knowing the responder's static public key. If the parties want to authenticate with a shared secret, it should be used as a PSK.
• Channel binding: Depending on the DH functions, it might be possible for a malicious party to engage in multiple sessions that derive the same shared secret key by setting public keys to invalid values that cause predictable DH output (as in the previous bullet). It might also be possible to set public keys to equivalent values that cause the same DH output for different inputs. This is why a higher-level protocol should use the handshake hash (h) for a unique channel binding, instead of ck, as explained in §11.2.
• Incrementing nonces: Reusing a nonce value for n with the same key k for encryption would be catastrophic. Implementations must carefully follow the rules for nonces. Nonces are not allowed to wrap back to zero due to integer overflow, and the maximum nonce value is reserved. This means parties are not allowed to send more than 2⁶⁴-1 transport messages.
• Protocol names: The protocol name used with Initialize() must uniquely identify the combination of handshake pattern and crypto functions for every key it's used with (whether ephemeral key pair, static key pair, or PSK). If the same secret key was reused with the same protocol name but a different set of cryptographic operations then bad interactions could occur.
• Pre-shared symmetric keys: Pre-shared symmetric keys must be secret values with 256 bits of entropy.
• Data volumes: The AESGCM cipher functions suffer a gradual reduction in security as the volume of data encrypted under a single key increases. Due to this, parties should not send more than 2⁵⁶ bytes (roughly 72 petabytes) encrypted by a single key. If sending such large volumes of data is a possibility then different cipher functions should be chosen.
• Hash collisions: If an attacker can find hash collisions on prologue data or the handshake hash, they may be able to perform "transcript collision" attacks that trick the parties into having different views of handshake data. It is important to use Noise with collision-resistant hash functions, and replace the hash function at any sign of weakness.
• Implementation fingerprinting: If this protocol is used in settings with anonymous parties, care should be taken that implementations behave identically in all cases. This may require mandating exact behavior for handling of invalid DH public keys.

• Google's "Attested Noise Protocol for Low-TCB Trusted Execution Environments"
• I2P (ntcp2 router)
• Lightning
• libp2p
• Facebook's Libra / Diem (digital currency) (shutdown in 2022^[75])
• nQUIC^[76]
• Slack's Nebula,^[3] "A scalable overlay networking tool"
• WhatsApp
• WireGuard

Some other uses of noise in the general cryptographic sense:

• Additive noise differential privacy mechanisms

• Official website with Specification and Wiki
• Github repos
• slides from a 2017 talk "The Noise Protocol Framework"
• An Introduction to the Noise Protocol Framework
• Using the Noise Protocol Framework to design a distributed capability system
• noisecat: the noise swiss army knife

Presentations:

• 20 minute talk at Real World Crypto 2018 by Trevor Perrin
• 25 minute talk by David Wong