[noise] New branch: hkdf

Trevor Perrin trevp at trevp.net
Fri Oct 2 18:00:08 PDT 2015


https://github.com/trevp/noise/blob/hkdf/noise.md

Offlist I've gotten feedback: Why not just use HKDF for key
derivation, since everyone else does: (QUIC, TLS 1.3, IPsec).

The current design is elegant in that it doesn't need separate cipher
keys or chain keys, and it can be optimized to a pretty minimal amount
of hash / cipher ops.

The counter-argument is:
 * Everyone else uses HKDF, so it's going to be harder to make people
comfortable with a different design, and we don't benefit from the
analysis and review that HKDF gets
 * These micro-optimizations don't matter
 * The GETKEY() construct adds a bunch of complexity to explain that
we're using the AEAD, but also allowing you to skip the AEAD and just
use the cipher

So I spec'd out an HKDF version.  Let's consider this and see if we prefer it.


Trevor


More information about the Noise mailing list