[noise] 5.8. Deriving a new session
Trevor Perrin
trevp at trevp.net
Mon Jul 6 08:45:34 PDT 2015
On Sun, Jul 5, 2015 at 6:07 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Mon, Jul 6, 2015 at 2:57 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> I'm not sure how that would work, remember the nonce can be set
>> explicitly based on 64 bits. Anyways, the nonce just needs to be
>> unique, randomizing those bits adds complexity but little benefit.
>
> Fair enough. Speaking of little benefit, you write "k: A symmetric key
> for the cipher algorithm specified in the ciphersuite. This value must
> be at least 256 bits in length for security reasons." This is
> surprising, because you also recommend Curve25519, which provides
> "128-bit security", whatever that means exactly. Wouldn't a more
> reasonable k minimum length be the lowest common denominator?
k is not just the cipher key, it's the "chaining variable" that
accumulates the results from all DH operations. Currently the KDF is
required to be collision-resistant, necessitating a large k.
There might be a different way to handle the chaining, or an argument
that collision-resistance is too strong, but at the moment this seems
simplest.
Trevor
More information about the Noise
mailing list