[noise] New branch: "simpler"
Trevor Perrin
trevp at trevp.net
Thu Oct 1 09:46:25 PDT 2015
On Thu, Oct 1, 2015 at 3:00 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> With a premessage and a handshake name, things wind up looking like:
>
> initiator.key = 32 bytes of zeros
> initiator.hash = HASH("Noise WireGuard zx2c4 2015-09-30" ||
> responder.static_public)
>
> Why not instead initiate the key with the handshake name, instead of the
> hash? It seems like this would also go a bit further in reducing key-reuse
> too. So, instead:
>
> initiator.key = "Noise WireGuard zx2c4 2015-09-30"
> initiator.hash = HASH(responder.static_public)
I want h to bind everything, including the name, so it could later be
used for signatures etc.
But now that we're not special-casing the first MixKey(), we might as
well get use out of it, and you're right that mixing the name into k
is a little more conservative, in case keys are shared with some other
protocol that doesn't take any reuse precautions.
So I've changed revision 8 to set k = h = handshake_name.
Trevor
More information about the Noise
mailing list