Designing a cryptographic handshake by hand is one of the most reliable ways to ship a vulnerability. TLS spent two decades patching downgrade attacks, renegotiation bugs, and padding oracles. The lesson the industry slowly absorbed is that handshakes should be generated from a specification, not improvised — and that the security properties of each variant should be provable, not hoped for.
The Noise Protocol Framework, designed by Trevor Perrin (also a co-author of the Double Ratchet), is that idea made concrete. It is not a single protocol. It's a system for describing a whole family of Diffie-Hellman-based handshakes using a compact notation, where each described handshake comes with a known, analyzable set of guarantees.
A Handshake as a Sequence of Tokens
The core insight is that almost any DH handshake can be written as an exchange of messages, and each message is just a list of tokens. There are only a handful of tokens, and each one means "do this one specific cryptographic operation":
- e — generate and send a fresh ephemeral public key
- s — send the sender's static (long-term) public key
- ee — perform DH between both ephemeral keys
- es — DH between one side's ephemeral and the other's static key
- se — the mirror of
es - ss — DH between both static keys
Every time a DH token runs, its output is folded into a running chaining key via HKDF. That chaining key continuously derives the symmetric keys used to encrypt the rest of the handshake. Crucially, once a DH has happened, even the static keys transmitted later in the handshake can be sent encrypted — which is how Noise can hide a party's long-term identity from a passive eavesdropper.
Reading the Pattern Names
Noise handshakes have terse two-letter names like NN, XX, IK, or XK. The two letters describe how each party's static key is handled — the first letter for the initiator, the second for the responder:
| Letter | Meaning | Trade-off |
|---|---|---|
| N | No static key for this party (anonymous) | No authentication of that side |
| K | Static key is known to the other party in advance | Requires out-of-band key distribution |
| X | Static key is transmitted (xmitted) during the handshake | Identity revealed, but only after encryption — protects against passive snooping |
| I | Static key sent immediately, in the first message | Fewer round trips, but identity exposed earlier |
So XX means both sides transmit their static keys mid-handshake (mutual authentication, identity hiding for the initiator). IK means the initiator sends its key immediately while the responder's key is already known — exactly the shape you want for a client connecting to a server whose public key it has pre-loaded. That last one matters in a moment.
A complete Noise protocol name bundles the pattern with its primitives, like Noise_XX_25519_ChaChaPoly_SHA256. That reads as: the XX pattern, Curve25519 for DH, ChaCha20-Poly1305 for authenticated encryption, and SHA-256 for hashing. Swap any component and you get a different, fully specified protocol.
WireGuard: Noise in the Wild
WireGuard is the most visible Noise deployment. Its handshake is built on Noise_IKpsk2 — the IK pattern (each peer pre-configures the other's static public key, exactly how WireGuard config files list a peer's PublicKey), with an optional pre-shared key mixed in as a post-quantum hedge (that's the psk2 part).
This choice explains a lot of WireGuard's character. Because IK assumes you already know the peer's static key, WireGuard has no certificate authorities, no negotiation of cipher suites, and no downgrade surface — there's nothing to negotiate. The cryptographic primitives are fixed: Curve25519, ChaCha20-Poly1305, BLAKE2s. That rigidity is precisely why WireGuard's codebase is a few thousand lines instead of TLS's hundreds of thousands.
The absence of choice is a security feature. Every option in a handshake is a potential downgrade attack; Noise lets a designer commit to exactly one combination and prove what it provides. — the design philosophy shared by WireGuard and Noise
Who Else Uses It
Noise quietly underpins a lot of infrastructure:
- WhatsApp uses Noise Pipes for the client-to-server transport channel (separate from the Signal Protocol that protects message contents end-to-end).
- The Lightning Network (Bitcoin's payment layer) specifies
Noise_XKfor connections between nodes, in its BOLT 8 transport spec. - Slack's Nebula overlay-networking tool and the I2P anonymity network both build on Noise handshakes.
The common thread is engineers who needed a secure transport but had no appetite for inventing one — or for dragging in the full weight of TLS where its flexibility wasn't needed.
The Three State Machines
Implementations organize around three nested objects, which is useful to know if you ever read Noise source code:
- CipherState — holds a symmetric key and a nonce counter; encrypts and decrypts individual messages.
- SymmetricState — wraps a CipherState plus the chaining key and a running handshake hash; this is what absorbs each DH result.
- HandshakeState — wraps the SymmetricState plus all the local and remote keys; this is what actually walks through the token list.
When the handshake finishes, the HandshakeState "splits" into two CipherStates — one for each direction of traffic — and the transport phase begins. From there it's ordinary authenticated encryption with a per-message AEAD nonce, and the careful nonce discipline that implies (see our note on nonce reuse for why that matters).
Why It's a Good Model to Learn
You don't need to be writing protocol code to benefit from understanding Noise. It teaches a transferable instinct: when you evaluate a secure system, ask what handshake it uses and whether that handshake is a named, analyzed construction or a bespoke one. "We rolled our own key exchange" should raise an eyebrow in a way that "we use Noise_IK" or "we use TLS 1.3" does not.
The framework's real contribution is cultural as much as technical: it made "describe your handshake precisely and prove its properties" the default expectation rather than an academic luxury. For a field where the failures are silent and the stakes are everything, that's a meaningful shift — and it's why a notation of six little tokens ended up inside the VPN and the messenger you probably used today.