Noise IXpsk0

This section uses the following notation for keys:

Q is the pre-shared key
E_i^pub is the initiator ephemeral public key
S_r^priv is the responder static private key
T^send, T^recv are the session keys derived

The Noise handshake starts with initiator (I) and responder (R) computing the hash function of the protocol name:

h₀ = hash("Noise_IXpsk0_25519_ChaChaPoly_SHA256")
ck₀ = h₀

Then the tokens of the handshake pattern are processed sequentially:

-> psk, e, s
The initiator computes:
(ck₁, t, k₀) = HKDF₃(ck₀, Q)
h₁ = hash(h₀ || t)
(E_i^pub, E_i^priv) = keygen()
write E_i^pub
h₂ = hash(h₁ || E_i^pub)
(ck₂, k₁) = HKDF₂(ck₁, E_i^pub)
encrypted-static = enc(k₁, 0, S_i^pub, h₂)
write encrypted-static
h₃ = hash(h₂ || encrypted-static)
encrypted-data = enc(k₁, 1, S_i^pub, h₂)
h₄ = hash(h₃ || encrypted-data)
<- e, ee, se, s, es
The responder computes:
(E_r^pub, E_r^priv) = keygen()
write E_r^pub
h₅ = hash(h₄ || E_r^pub)
(ck₃, k₂) = HKDF₂(ck₂, E_r^pub)
(ck₄, k₃) = HKDF₂(ck₃, DH(E_i^pub, E_r^priv))
(ck₅, k₄) = HKDF₂(ck₄, DH(S_i^pub, E_r^priv))
encrypted-static = enc(k₄, 2, S_i^pub, h₅)
write encrypted-static
h₆ = hash(h₅ || encrypted-static)
(ck₆, k₅) = HKDF₂(ck₅, DH(E_i^pub, S_r^priv))
encrypted-data = enc(k₅, 4, data, h₆)
write encrypted-data
h₇ = hash(h₆ || encrypted-data)

A the end both initiator and responder will compute the session keys:

(T^send, T^recv) = HKDF₂(ck₇, empty)