[noise] Deriving additional keys

Trevor Perrin trevp at trevp.net
Sat Oct 8 13:57:36 PDT 2016


We had an earlier thread on "Resumption PSKs":

https://moderncrypto.org/mail-archive/noise/2016/000659.html

The question was: can we derive a symmetric key from an earlier
session, for use as PSK with a subsequent handshake?  (Or course, we
could just transmit the PSK, but deriving it is a little more
efficient).  I had a proposal, but I think this is a better one:

To derive an "additional" key or pair of keys, do:
  ki : initiator's post-handshake encryption key
  name : ASCII string zero-padded to 32 bytes
  K = ENCRYPT(ki, nonce=2^64-1, ad=zerolen, plaintext=zeros[32])[0..32]
  return HKDF(K, name)

For resumption, we could recommend using an empty name, and taking the
first HKDF output as the PSK, and the second HKDF output as a label
that can be attached to the first handshake message (somehow) to
indicate which PSK to use.

Some nice points:

 * K can be reused with different names, so if you want to generate
lots of resumption PSKs, or keys for other purposes, that's easy to
do.

 * K only needs to be calculated if additional key derivation is used,
otherwise this is a "zero cost" feature.  Alternatively we could
derive K from the ck at the time of Split(), but then we have to know
in advance whether it will be needed.

Trevor


More information about the Noise mailing list