Can Noise be used asynchronously without weakening its security properties?
Specifically, there are two users, A and B, who communicate asynchronously by leaving messages for each other on an untrusted server, but they may never be online at the same time. They know each other’s public static keys in advance, so the KK pattern seems appropriate:
KK: -> s <- s ... -> e, es, ss <- e, ee, se
It seems to me that this pattern could be used asynchronously without weakening it.
A and B both initially upload a bunch of ephemeral public keys to the server, and top up the supply when they connect at later times.
Now A wants to send a message to B:
- Download one of B’s ephemeral keys from the server, and run the first handshake step.
- Run the second handshake step, generating an encrypted public ephemeral key (so handshake is done).
- Run Noise again with the plain-text as a payload, generating an encrypted transport message.
- Upload a concatenation of B’s plain-text ephemeral key, A’s encrypted ephemeral key, and the encrypted message.
When B comes online and downloads the message, they:
- Discard the message if the plain-text ephemeral key is not on their list of unused keys.
- Run the two steps of the handshake.
- Decrypt the encrypted message.
(So in this scenario, B is the initiator and A is the responder.)
I hope this is not off-topic. I thought it was OK because I’m asking more about how to use an existing protocol rather than asking for cryptanalysis of my own design.