This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) This articlecontains an excessive amount of intricatedetail. Please helpimprove it byspinning off orrelocating relevant information and removing excessive detail that goes againstWikipedia's inclusion policy.(August 2025) (Learn how and when to remove this message) This articlemay be too technical for most readers to understand. Pleasehelp improve it tomake it understandable to non-experts, without removing the technical details.(December 2024) (Learn how and when to remove this message) This article'stone or style may not reflect theencyclopedic tone used on Wikipedia. See Wikipedia'sguide to writing better articles for suggestions.(December 2024) (Learn how and when to remove this message) This articlecontainsinstructions or advice. Wikipedia is not a guidebook; please helprewrite such content to be encyclopedic or move it toWikiversity,Wikibooks, orWikivoyage.(December 2024) (Learn how and when to remove this message)

TheNoise Protocol Framework, sometimes referred to as "Noise" or "Noise Framework", is apublic domain cryptographicframework^[1] for creatingsecure communicationprotocols based onDiffie–Hellman key exchange.^[2] Developed byTrevor Perrin, the framework defines a series ofhandshake patterns—predefined sequences of message exchanges—that outline how parties initiate communication, exchange keys, and establishshared secrets. These patterns can be combined and customized to meet specific security requirements, such asmutual authentication,forward secrecy, and identity protection.

Several popularsoftware applications andprotocols, including the messaging platformsWhatsApp andSlack^[3] and the VPN protocolWireGuard, have used implementations of the Noise Framework to ensureend-to-end encryption for user communications. The framework remains a topic of development, includingpost-quantum adaptations.^[4] The framework is currently at revision 34, published in July 2018.^[1]

Mostsecure channel protocols rely onauthenticated key exchange (AKE) usingdigital signatures (forauthentication) andDiffie–Hellman (forkey exchange). In the 2000s–2010s, interest grew in developing pure Diffie–Hellman-based AKEs, without signatures,^[5] leading to both theoretical (e.g., Kudla-Paterson,^[6] NAXOS,^[7] Ntor)^[8] and practical advancements (e.g., Ntor,^[8]NaCl,CurveCP,DNSCurve, OPTLS).^[9] These were often developed from scratch. The Noise Protocol Framework was developed by Trevor Perrin, with support fromMoxie Marlinspike, introducing two key innovations:^[5]

1. Combining simple elements to construct various protocols.
2. Using“sponge-like” symmetric cryptography, inspired by cryptographer Mike Hamburg's^[10] Strobe protocol framework.^[11]

The Framework evolved based on work initially conducted atOpen Whisper Systems, the software organization from which theSignal Protocol andSignal messaging app originated. While unrelated to thesignal processing concept ofnoise, the choice of “Noise” as the name for thiscryptographic protocol might be a play on thesignal vs. noise concept.

Originally maintained as awiki starting from February 10, 2013,^[12] the framework's development began with an initialcommit to its specification on August 4, 2014.^[13] The framework evolved through numerous revisions following mailing list discussions until version 34 on July 11, 2018.^[14] The Noise Protocol Framework acknowledges^[15] inspiration from previous cryptographic designs (e.g.,NaCl,CurveCP or theKDF chains used in theDouble Ratchet Algorithm) and contributions from figures in cryptography and computing (e.g.,Jason Donenfeld,Hugo Krawczyk).

During its development, the Noise Protocol Framework evolved alongsideTLS 1.3, including 2015 discussions^[16] comparing the protocols, particularly the “OPTLS” proposal.^[17] Both projects spanned from 2014 to 2018, with the first draft of TLS 1.3 RFC 8446^[18] released in August 2014 and the final Proposed Standard in August 2018. The Noise Framework provided an alternative approach, enabling the selection of specific handshake patterns and cryptographic algorithms to design protocols tailored to specific security properties and performance needs.

Formal verifications^[19] of the Noise Protocol Framework have evaluated itssecurity properties. Studies have employed automated tools to model and verify various handshake patterns within the framework,^[20][21] assessing theirresilience against a range ofattacks.

A secure channel protocol has two phases:

• the handshake phase: authenticates and establishes shared secret keys usingDiffie-Hellman key exchange (DH) forAuthenticated Key Exchange (AKE)
• the transport phase: uses shared secret keys to encrypt data

The handshake pattern can be described in a diagram as a set of messages, each annotated with a list of tokens that describe cryptographic operations performed on a party's handshake state.

The specification lists three one-way handshake patterns, and 12 fundamental interactive handshake patterns. There are variations of some of these:

• deferred patterns, where the authentication DHs are deferred to the next message. A numeral1 is used after the first and/or second character, e.g.NK1 orX1X1
• a pre-shared symmetric key to support protocols where both parties have a 32-byte shared secret key, e.g.Npsk0 orXpsk1
• compound protocols in which the roles of initiator and responder get reversed as a negotiation mechanism via thefallback modifier. A Noise Pipe is an example found in §10.4^[22]

A real-world example comes from WireGuard whoseConstruction on page 10 of theWhitepaper isNoise_IKpsk2_25519_ChaChaPoly_BLAKE2s.

Each handshake pattern can be combined with one of the 16 combinations of the 8 cryptographic algorithms listed in the Specification. Asthose algorithms are of comparable quality and do not enlarge the design space.

The Specification outlines an API in §5^[23] using the followingobjects each having a small set ofmethods:

• ACipherState object containsk andn variables, which it uses to encrypt and decrypt ciphertexts. During the handshake phase, each party has a singleCipherState, but during the transport phase, each party has twoCipherState objects: one for sending, and one for receiving.
• ASymmetricState object contains aCipherState plusck andh variables. It is so-named because it encapsulates all the "symmetric crypto" used by Noise. During the handshake phase, each party has a singleSymmetricState, which can be deleted once the handshake is finished.
• AHandshakeState object contains aSymmetricState plus DH variables (s,e,rs,re) and a variable representing the handshake pattern. During the handshake phase, each party has a singleHandshakeState, which can be deleted once the handshake is finished.

The implementation of a concrete protocol involves the design of message representation, as well as aspects outside the Noise Framework. An example of the latter happens with protocols usingUDP transports, such asWireGuard, which uses a sliding window to handle out-of-order arrival.

Security properties of several handshake patterns are described in the Specification and can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding, and other advanced features. Formal cryptographic analyses of common handshake patterns have appeared in the academic literature.^[24][25] The second effort has resulted in the online tool Noise Explorer.^[26]

Much of the following consists of excerpts from the Specification with formatting:

• IK for protocol names consisting of handshake patterns, cryptography, and modifiers
• ck for variables in the handshake state machine
• e for tokens in a message pattern
• § prefixes references to sections in the Specification

with the focus on:

• handshake patterns
• security properties and tradeoffs
• application responsibilities and security considerations

To produce a Noise Protocol name forInitialize() you concatenate the ASCII stringNoise_ with four underscore-separated name sections, which sequentially name the handshake pattern, the DH functions, the cipher functions, and then the hash functions. The resulting name must be 255 bytes or less.^[27] Examples:

• Noise_XX_25519_AESGCM_SHA256
• Noise_N_25519_ChaChaPoly_BLAKE2s
• Noise_IK_448_ChaChaPoly_BLAKE2b

Each name section must consist only of alphanumeric characters (i.e. characters in one of the ranges "A"..."Z", "a"..."z", and "0"..."9"), and the two special characters "+" and "/".

Additional rules apply to each name section, as specified below.

A handshake pattern name section contains a handshake pattern name plus a sequence of zero or more pattern modifiers.^[28]

The handshake pattern name must be an uppercase ASCII string containing only alphabetic characters or numerals (e.g.XX1 orIK).

Pattern modifiers specify arbitrary extensions or modifications to the behavior specified by the handshake pattern. For example, a modifier could be applied to a handshake pattern, which transforms it into a different pattern according to some rule. Thepsk0 andfallback modifiers are examples of this and will be defined later in this document.

A pattern modifier is named with a lowercase alphanumeric ASCII string that must begin with an alphabetic character (not a numeral). The pattern modifier is appended to the base pattern as described below:

The first modifier added onto a base pattern is simply appended. Thus, thefallback modifier, when added to theXX pattern, producesXXfallback. Additional modifiers are separated with a plus sign. Thus, adding thepsk0 modifier would result in the name sectionXXfallback+psk0, or a full protocol name such asNoise_XXfallback+psk0_25519_AESGCM_SHA256.

In some cases, the sequential ordering of modifiers will specify different protocols. However, if the order of some modifiers does not matter, then they are required to be sorted alphabetically (this is an arbitrary convention to ensure interoperability).

The rules for the DH, cipher, and hash name sections are identical. Each name section must contain one or more algorithm names separated by plus signs.^[29]

Each algorithm name must consist solely of alphanumeric characters and the forward-slash character ("/"). Algorithm names are recommended to be short, and to use the "/" character only when necessary to avoid ambiguity (e.g.SHA3/256 is preferable toSHA3256).

In most cases, there will be a single algorithm name in each name section (i.e. no plus signs). Multiple algorithm names are only used when called for by the pattern or a modifier.

None of the patterns or modifiers in this document require multiple algorithm names in any name section. However, this functionality might be useful in future extensions. For example, multiple algorithm names might be used in the DH section to specify "hybrid" post-quantum forward secrecy; or multiple hash algorithms might be specified for different purposes.

The Specification lists 8 modern algorithms with the following names.^[30][31]

The Wiki has this list of unofficial algorithms;^[32] I've omitted the Post-Quantum ones as the entries pre-date theNIST Post-Quantum Cryptography Standardization effort starting in 2016 with the first three Post Quantum Crypto Standards: FIPS 203, FIP 204, and FIP 205 in 2024.

Here we^[who?] document some names which could be used for nonstandard algorithms, so that experimental use of these algorithms could use consistent names (NOTE: None of these algorithms are endorsed for use with Noise, use at your own risk).

Noise Protocols have a prologue input that allows arbitrary data to be hashed into the h variable. If both parties do not provide identical prologue data, the handshake will fail due to a decryption error. This is useful when the parties engaged in negotiation prior to the handshake and want to ensure they share identical views of that negotiation.^[42]

For example, suppose Bob communicates to Alice a list of Noise Protocols that he is willing to support. Alice will then choose and execute a single protocol. To ensure that a "man-in-the-middle" did not edit Bob's list to remove options,Alice and Bob could include the list as prologue data.

Note that while the parties confirm their prologues are identical, they don't mix prologue data into encryption keys. If an input contains secret data that's intended to strengthen the encryption, a PSK handshake should be used instead (see §9).

The following handshake patterns represent "one-way" handshakes supporting a one-way stream of data from a sender to a recipient. These patterns could be used to encrypt files, database records, or other non-interactive data streams.^[43]

Following a one-way handshake the sender can send a stream of transport messages, encrypting them using the first CipherState returned bySplit() The second CipherState fromSplit() is discarded - the recipient must not send any messages using it (as this would violate the rules in §7.3).

One-way patterns are named with a single character, which indicates the status of the sender's static key:

• N =No static key for sender
• K = Static key for initiatorKnown to responder
• X = Static key for senderXmitted ("transmitted") to recipient

N:

 <-s ... ->e,es

K:

 ->s <-s ... ->e,es,ss

X:

 <-s ... ->e,es,s,ss

N is a conventional DH-based public-key encryption. The other patterns add sender authentication, where the sender's public key is either known to the recipient beforehand (K) or transmitted under encryption (X).

The following handshake patterns represent interactive protocols. These 12 patterns are called the "fundamental" interactive handshake patterns.^[44]

The fundamental interactive patterns are named with two characters, which indicate the status of the initiator and responder's static keys:

The first character refers to the initiator's static key:

• N =No static key for initiator
• K = Static key for initiatorKnown to responder
• X = Static key for initiatorXmitted ("transmitted") to responder
• I = Static key for initiatorImmediately transmitted to responder, despite reduced or absent identity hiding

The second character refers to the responder's static key:

• N =No static key for responder
• K = Static key for responderKnown to initiator
• X = Static key for responderXmitted ("transmitted") to initiator

The first two columns in the table above, prior to each message pattern, lists the security properties for Noise handshake and transport payloads for all the one-way patterns in §7.4 and the fundamental patterns in §7.5. Each payload is assigned a "source" property regarding the degree of authentication of the sender provided to the recipient, and a "destination" property regarding the degree of confidentiality provided to the sender.

For the sender:

• 0.No authentication. This payload may have been sent by any party, including an active attacker.

Used by:IN#1,IN#2,IN#4,IX#1,KN#2,KN#3,KN#5,KX#2,NK#2,NK#4,NN#1,NN#2,NN#3,NX#1,NX#3,XK#2,XN#1,XN#2,XN#4,XX#1

• 1.Sender authenticationvulnerable to key-compromise impersonation (KCI). The sender authentication is based on a static-static DH (ss) involving both parties' static key pairs. If the recipient's long-term private key has been compromised, this authentication can be forged. Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by:IK#2,IN#3,KK#3,KN#4,NK#3,NN#2,NN#3,NX#2,XK#3,XN#2,XN#3,XX#2

• 2.Sender authenticationresistant to key-compromise impersonation (KCI). The sender authentication is based on an ephemeral-static DH (es orse) between the sender's static key pair and the recipient'sephemeral key pair. Assuming the corresponding private keys are secure, this authentication cannot be forged.

Used by:IK#2,IK#3,IK#4,IK#5,IN#3,IX#2,IX#3,IX#4,KK#3,KK#4,KK#5,KK#6,KN#4,KX#3,KX#4,KX#5,NK#2,NK#3,NX#2,XK#2,XK#3,XK#4,XK#5,XN#3,XX#2,XX#3,XX#4

For the recipient:

• 0.No confidentiality. This payload is sent in cleartext.

Used by:IN#1,IN#2,IN#4,IX#1,KN#2,KN#3,KN#5,KX#2,NK#2,NK#4,NN#1,NN#2,NN#3,NX#1,NX#3,XK#2,XN#1,XN#2,XN#4,XX#1

• 1.Encryption to an ephemeral recipient. This payload has forward secrecy, since encryption involves an ephemeral-ephemeral DH (ee). However, the sender has not authenticated the recipient, so this payload might be sent to any party, including an active attacker.

Used by:IK#2,IN#3,KK#3,KN#4,NK#3,NN#2,NN#3,NX#2,XK#3,XN#2,XN#3,XX#2

• 2.Encryption to a known recipient, forward secrecy for sender compromise only, vulnerable to replay. This payload is encrypted based only on DHs involving the recipient's static key pair. If the recipient's static private key is compromised, even at a later date, this payload can be decrypted. This message can also be replayed, since there's no ephemeral contribution from the recipient.

Used by:IK#2,IK#3,IK#4,IK#5,IN#3,IX#2,IX#3,IX#4,KK#3,KK#4,KK#5,KK#6,KN#4,KX#3,KX#4,KX#5,NK#2,NK#3,NX#2,XK#2,XK#3,XK#4,XK#5,XN#3,XX#2,XX#3,XX#4

• 3.Encryption to a known recipient, weak forward secrecy. This payload is encrypted based on an ephemeral-ephemeral DH and also an ephemeral-static DH involving the recipient's static key pair. However, the binding between the recipient's alleged ephemeral public key and the recipient's static public key hasn't been verified by the sender, so the recipient's alleged ephemeral public key may have been forged by an active attacker. In this case, the attacker could later compromise the recipient's static private key to decrypt the payload. Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by:IN#2,IX#2,KN#3,KX#3

• 4.Encryption to a known recipient, weak forward secrecy if the sender's private key has been compromised. This payload is encrypted based on an ephemeral-ephemeral DH, and also based on an ephemeral-static DH involving the recipient's static key pair. However, the binding between the recipient's alleged ephemeral public and the recipient's static public key has only been verified based on DHs involving both those public keys and the sender's static private key. Thus, if the sender's static private key was previously compromised, the recipient's alleged ephemeral public key may have been forged by an active attacker. In this case, the attacker could later compromise the intended recipient's static private key to decrypt the payload (this is a variant of a "KCI" attack enabling a "weak forward secrecy" attack). Note that a future version of Noise might include signatures, which could improve this security property, but brings other trade-offs.

Used by:IK#3,KK#4

• 5.Encryption to a known recipient, strong forward secrecy. This payload is encrypted based on an ephemeral-ephemeral DH as well as an ephemeral-static DH with the recipient's static key pair. Assuming the ephemeral private keys are secure, and the recipient is not being actively impersonated by an attacker that has stolen its static private key, this payload cannot be decrypted.

Used by:IK#4,IK#5,IN#4,IX#3,IX#4,KK#5,KK#6,KN#5,KX#4,KX#5,NK#4,NX#3,XK#4,XK#5,XN#4,XX#3,XX#4

The following table lists the identity-hiding properties for all the one-way handshake patterns in §7.4 and the fundamental handshake patterns in §7.5. In addition, we list a few deferred handshake patterns which have different identity-hiding properties than the corresponding fundamental pattern.^[45]

Each pattern is assigned properties describing the confidentiality supplied to the initiator's static public key, and to the responder's static public key. The underlying assumptions are that ephemeral private keys are secure, and that parties abort the handshake if they receive a static public key from the other party which they don't trust.

This section only considers identity leakage through static public key fields in handshakes. Of course, the identities of Noise participants might be exposed through other means, including payload fields, traffic analysis, or metadata such as IP addresses.

The properties for the relevant public key are:

• 0. Transmitted in clear.
• 1. Encrypted with forward secrecy, but can be probed by an anonymous initiator.
• 2. Encrypted with forward secrecy, but sent to an anonymous responder.
• 3. Not transmitted, but a passive attacker can check candidates for the responder's private key and determine whether the candidate is correct. An attacker could also replay a previously recorded message to a new responder and determine whether the two responders are the "same" (i.e. are using the same static key pair) by whether the recipient accepts the message.
• 4. Encrypted to responder's static public key, without forward secrecy. If an attacker learns the responder's private key they can decrypt the initiator's public key.
• 5. Not transmitted, but a passive attacker can check candidates for the pair of (responder's private key, initiator's public key) and learn whether the candidate pair is correct.
• 6. Encrypted but with weak forward secrecy. An active attacker who pretends to be the initiator without the initiator's static private key, then later learns the initiator private key, can then decrypt the responder's public key.
• 7. Not transmitted, but an active attacker who pretends to be the initiator without the initiator's static private key, then later learns a candidate for the initiator private key, can then check whether the candidate is correct.
• 8. Encrypted with forward secrecy to an authenticated party.
• 9. An active attacker who pretends to be the initiator and records a single protocol run can then check candidates for the responder's public key.

The fundamental handshake patterns in the previous section perform DH operations for authentication (es andse) as early as possible.^[46]

An additional set of handshake patterns can be described which defer these authentication DHs to the next message. To name these deferred handshake patterns, the numeral1 is used after the first and/or second character in a fundamental pattern name to indicate that the initiator and/or responder's authentication DH is deferred to the next message.

Deferred patterns might be useful for several reasons:

• The initiator might have prior knowledge of the responder's static public key, but not wish to send any 0-RTT encrypted data.
• In some cases, deferring authentication can improve the identity-hiding properties of the handshake (see §7.8).
• Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature or KEM ciphertext, but the deferred variants make both replacements possible.

Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the Appendix §18.^[47]

^[48]

So far we've assumed Alice and Bob wish to execute a single Noise Protocol chosen by the initiator (Alice). However, there are a number of reasons why Bob might wish to switch to a different Noise Protocol after receiving Alice's first message. For example:^[49]

Alice might have chosen a Noise Protocol based on a cipher, DH function, or handshake pattern which Bob doesn't support.

Alice might have sent a "zero-RTT" encrypted initial message based on an out-of-date version of Bob's static public key or PSK.

Handling these scenarios requires a compound protocol where Bob switches from the initial Noise Protocol chosen by Alice to a new Noise Protocol. In such a compound protocol the roles of initiator and responder would be reversed - Bob would become the initiator of the new Noise Protocol, and Alice the responder.

Compound protocols introduce significant complexity as Alice needs to advertise the Noise Protocol she is beginning with and the Noise Protocol(s) she is capable of switching to, and both parties have to negotiate a secure transition.

These details are largely out of scope for this document. However, to give an example of how compound protocols can be constructed, and to provide some building blocks, the following sections define a fallback modifier and show how it can be used to create a Noise Pipe compound protocol.

Noise Pipes support theXX pattern, but also allow Alice to cache Bob's static public key and attempt anIK handshake with 0-RTT encryption.

In case Bob can't decrypt Alice's initialIK message, he will switch to theXXfallback pattern, which essentially allows the parties to complete anXX handshake as if Alice had sent anXX initial message instead of anIK initial message.

Thefallback modifier converts an Alice-initiated pattern to a Bob-initiated pattern by converting Alice's initial message to a pre-message that Bob must receive through some other means (e.g. via an initialIK message from Alice). After this conversion, the rest of the handshake pattern is interpreted as a Bob-initiated handshake pattern.^[50]

For example, here is thefallback modifier applied toXX to produceXXfallback:

XX:

 ->e <-e,ee,s,es ->s,se

XXfallback:

 ->e ... <-e,ee,s,es ->s,se

Note that fallback can only be applied to handshake patterns in Alice-initiated form where Alice's first message is capable of being interpreted as a pre-message (i.e. it must be eithere,s, or "e,s").

A typical compound protocol for zero-RTT encryption involves three different Noise Protocols:^[51]

• A full protocol is used if Alice doesn't possess stored information about Bob that would enable zero-RTT encryption, or doesn't wish to use the zero-RTT handshake.
• A zero-RTT protocol allows encryption of data in the initial message.
• A switch protocol is triggered by Bob if he can't decrypt Alice's first zero-RTT handshake message.

There must be some way for Bob to distinguish the full versus zero-RTT cases on receiving the first message. If Alice makes a zero-RTT attempt, there must be some way for her to distinguish the zero-RTT versus switch cases on receiving the response.

For example, each handshake message could be preceded by some negotiation data, such as a type byte (see §13). This data is not part of the Noise message proper, but signals which Noise Protocol is being used.

This section defines the Noise Pipe compound protocol. The following handshake patterns satisfy the full, zero-RTT, and switch roles discussed in the previous section, so can be used to provide a full handshake with a simple zero-RTT option:^[22]

XX:

 ->e <-e,ee,s,es ->s,se

IK:

 <-s                      ... ->e,es,s,ss <-e,ee,se

XXfallback:

 ->e ... <-e,ee,s,es ->s,se

TheXX pattern is used for a full handshake if the parties haven't communicated before, after which Alice can cache Bob's static public key.

TheIK pattern is used for a zero-RTT handshake.

TheXXfallback pattern is used for a switch handshake if Bob fails to decrypt an initialIK message (perhaps due to having changed his static key).

Email from Trevor Perrin on 4-Mar-2018^[52]

I've created a draft spec for an "NLS" framework that adds anegotiation language ("NoiseLingo") on top of NoiseSocket (hence"NoiseLingoSocket"). This is based on ideas from 1.^[53]

This needs a tweaked NoiseSocket draft, with modifications from 2^[54] (renaming a couple things, and changing the prologue calculation todifferentiate the "retry" case, and to add an application prologue):

• The NLS Framework^[55]
• The NoiseSocket Protocol^[56]

The NLS draft also defines some "basic profiles", which are intendedas high-level protocols usable by application developers:

• NoiseLink (1-RTT handshake)
• NoiseZeroLink (0-RTT handshake)
• NoiseShortLink (for low-end embedded)
• NoiseAnonBox (public-key encryption)
• NoseAuthBox (public-key encryption + sender auth)

The idea is that NoiseLingo and NLS give you a menu of negotiationfields that are easy to choose from to create profiles. Also, theseprofiles will have a lot of similarity and thus potential for interop(e.g. a NoiseZeroLink client can talk to a NoiseLink server, byfalling back to 1-RTT). And if you start with something simple likeNoiseLink, it's easy to add new NLS fields and negotiation options asyou discover new needs.

An application built on Noise must consider several issues:^[57]

• Choosing crypto functions: The25519 DH functions are recommended for typical uses, though the448 DH functions might offer extra security in case a cryptanalytic attack is developed againstelliptic curve cryptography. The448 DH functions should be used with a 512-bit hash likeSHA512 orBLAKE2b. The25519 DH functions may be used with a 256-bit hash likeSHA256 orBLAKE2s, though a 512-bit hash might offer extra security in case a cryptanalytic attack is developed against the smaller hash functions.AESGCM is hard to implement with high speed and constant time in software.
• Extensibility: Applications are recommended to use an extensible data format for the payloads of all messages (e.g.JSON,Protocol Buffers). This ensures that fields can be added in the future which are ignored by older implementations.
• Padding Applications are recommended to use a data format for the payloads of all encrypted messages that allows padding. This allows implementations to avoid leaking information about message sizes. Using an extensible data format, per the previous bullet, may be sufficient.
• Session termination: Applications must consider that a sequence of Noise transport messages could be truncated by an attacker. Applications should include explicit length fields or termination signals inside of transport payloads to signal the end of an interactive session, or the end of a one-way stream of transport messages.
• Length fields: Applications must handle any framing or additional length fields for Noise messages, considering that a Noise message may be up to 65535 bytes in length. If an explicit length field is needed, applications are recommended to add a 16-bit big-endian length field prior to each message.
• Negotiation data: Applications might wish to support the transmission of some negotiation data prior to the handshake, and/or prior to each handshake message. Negotiation data could contain things like version information and identifiers for Noise Protocols. For example, a simple approach would be to send a single-byte type field prior to each Noise handshake message. More flexible approaches might send extensible structures such as protobufs. Negotiation data introduces significant complexity and security risks such as rollback attacks (see next section).

This section collects various security considerations:^[58]

• Authentication: A Noise Protocol with static public keys verifies that the corresponding private keys are possessed by the participant(s), but it's up to the application to determine whether the remote party's static public key is acceptable. Methods for doing so include certificates which sign the public key (and which may be passed in handshake payloads), preconfigured lists of public keys, or "pinning" / "key-continuity" approaches where parties remember public keys they encounter and check whether the same party presents the same public key in the future.
• Session termination: Preventing attackers from truncating a stream of transport
• Rollback: If parties decide on a Noise Protocol based on some previous negotiation that is not included as prologue, then a rollback attack might be possible. This is a particular risk with compound protocols, and requires careful attention if a Noise handshake is preceded by communication between the parties.
• Static key reuse: A static key pair used with Noise should be used with a single hash algorithm. The key pair should not be used outside of Noise, nor with multiple hash algorithms. It is acceptable to use the static key pair with different Noise Protocols, provided the same hash algorithm is used in all of them. (Reusing a Noise static key pair outside of Noise would require extremely careful analysis to ensure the uses don't compromise each other, and security proofs are preserved).
• PSK reuse: A PSK used with Noise should be used with a single hash algorithm. The PSK should not be used outside of Noise, nor with multiple hash algorithms.
• Ephemeral key reuse: Every party in a Noise Protocol must send a fresh ephemeral public key prior to sending any encrypted data. Ephemeral keys must never be reused. Violating these rules is likely to cause catastrophic key reuse. This is one rationale behind the patterns in §7, and the validity rules in §7.3. It's also the reason why one-way handshakes only allow transport messages from the sender, not the recipient.
• Misusing public keys as secrets: It might be tempting to use a pattern with a pre-message public key and assume that a successful handshake implies the other party's knowledge of the public key. Unfortunately, this is not the case, since setting public keys to invalid values might cause predictable DH output. For example, aNoise_NK_25519 initiator might send an invalid ephemeral public key to cause a known DH output of all zeros, despite not knowing the responder's static public key. If the parties want to authenticate with a shared secret, it should be used as a PSK.
• Channel binding: Depending on the DH functions, it might be possible for a malicious party to engage in multiple sessions that derive the same shared secret key by setting public keys to invalid values that cause predictable DH output (as in the previous bullet). It might also be possible to set public keys to equivalent values that cause the same DH output for different inputs. This is why a higher-level protocol should use the handshake hash (h) for a unique channel binding, instead ofck, as explained in §11.2.
• Incrementing nonces: Reusing a nonce value forn with the same keyk for encryption would be catastrophic. Implementations must carefully follow the rules for nonces. Nonces are not allowed to wrap back to zero due tointeger overflow, and the maximum nonce value is reserved. This means parties are not allowed to send more than 2⁶⁴-1 transport messages.
• Protocol names: The protocol name used withInitialize() must uniquely identify the combination of handshake pattern and crypto functions for every key it's used with (whether ephemeral key pair, static key pair, or PSK). If the same secret key was reused with the same protocol name but a different set of cryptographic operations then bad interactions could occur.
• Pre-shared symmetric keys: Pre-shared symmetric keys must be secret values with 256 bits of entropy.
• Data volumes: TheAESGCM cipher functions suffer a gradual reduction in security as the volume of data encrypted under a single key increases. Due to this, parties should not send more than 2⁵⁶ bytes (roughly 72 petabytes) encrypted by a single key. If sending such large volumes of data is a possibility then different cipher functions should be chosen.
• Hash collisions: If an attacker can find hash collisions on prologue data or the handshake hash, they may be able to perform "transcript collision" attacks that trick the parties into having different views of handshake data. It is important to use Noise with collision-resistant hash functions, and replace the hash function at any sign of weakness.
• Implementation fingerprinting: If this protocol is used in settings with anonymous parties, care should be taken that implementations behave identically in all cases. This may require mandating exact behavior for handling of invalid DH public keys.

• Google's "Attested Noise Protocol for Low-TCB Trusted Execution Environments"
• I2P (ntcp2 router)
• Lightning
• libp2p
• Facebook's Libra /Diem (digital currency) (shutdown in 2022^[75])
• nQUIC^[76]
• Slack's Nebula,^[3] "A scalable overlay networking tool"
• WhatsApp
• WireGuard

Some other uses of noise in the general cryptographic sense:

• Additive noise differential privacy mechanisms

• Official website withSpecification andWiki
• Github repos
• slides from a 2017 talk "The Noise Protocol Framework"
• An Introduction to the Noise Protocol Framework
• Using the Noise Protocol Framework to design a distributed capability system
• noisecat: the noise swiss army knife

Presentations:

• 20 minute talk at Real World Crypto 2018 byTrevor Perrin
• 25 minute talk byDavid Wong

• Transport Layer Security
• Presentation layer protocols
• Cryptographic primitives

• CS1 maint: work parameter with ISBN
• Articles with short description
• Short description matches Wikidata
• Wikipedia articles that are excessively detailed from August 2025
• All articles that are excessively detailed
• Wikipedia articles with style issues from August 2025
• All articles with style issues
• Wikipedia articles that are too technical from December 2024
• All articles that are too technical
• Wikipedia articles with style issues from December 2024
• Articles needing cleanup from December 2024
• All pages needing cleanup
• Articles containing how-to sections
• Articles with multiple maintenance issues
• All articles with specifically marked weasel-worded phrases
• Articles with specifically marked weasel-worded phrases from December 2024