[noise] Making sender pubkey encryption more consistent

[Stephen Touset]

Slightly more over-the-wire space, but conceptually simpler and likely easier to implement in software (due to higher code reuse). I’m a fan.

On Jul 30, 2014, at 9:22 PM, Trevor Perrin <trevp at trevp.net> wrote:

> It's sort of inconsistent how a Noise box contains:
> (a) the sender's public-key encrypted WITHOUT padding with a MAC
> (b) the actual contents encrypted WITH padding and a MAC
> 
> The sender's public-key doesn't really need padding, but it might be
> simpler if we just used the same padded-encryption for both.
> 
> Here's what that might look like, what do people think? -
> 
> struct {
>    bytes encrypted_contents[contents_len];
>    bytes encrypted_padding[padding_len];
>    bytes encrypted_padding_len[4];
>    bytes mac[MAC_LEN];
> } NoiseEncryption;
> 
> struct {
>    NoiseEncryption header;  # sender public key
>    NoiseEncryption body;    # application data
> } NoiseBox;
> 
> 
> noise_encrypt(cc, pad_len, contents, authtext=""):
>  plaintext = contents || random(pad_len) || (uint32_little_endian)pad_len
>  encryption = ENCRYPT(cc, plaintext, authtext)
>  return encryption
> 
> noise_box(eph_key, sender_key, target_pubkey, pad_len1, pad_len2, app_data,
>          kdf_num, cv):
>  dh1 = DH(eph_key.priv, target_pubkey)
>  dh2 = DH(sender_key.priv, target_pubkey)
>  cv1 || cc1 = KDF(dh1, cv,  SUITE_NAME || (byte)kdf_num,       CV_LEN + CC_LEN)
>  cv2 || cc2 = KDF(dh2, cv1, SUITE_NAME || (byte)(kdf_num + 1), CV_LEN + CC_LEN)
>  header = noise_encrypt(cc1, pad_len1, sender_key.pub, target_pubkey
> || eph_key.pub)
>  body   = noise_encrypt(cc2, pad_len2, app_data,       target_pubkey || header)
>  return (header || body), cv2
> 
> ?
> 
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

-- 
Stephen Touset
stephen at squareup.com