[noise] PQ crypto HFS

dawuud dawuud at riseup.net
Fri Nov 16 15:33:59 PST 2018 


Dear Trevor and other Noise people,


tl,dr; We use Noise_XXhfs_25519+NewHopeSimple_ChaChaPoly_Blake2b, and so can you.

I am very interested in post quantum hybrid forward secrecy for Noise protocols
and I'd like to see more developers doing this. So far Katzenpost is the only one.
Why is it that an experimental grant funded free software project has the most advanced
usage of Noise?

I work on mixnets [1] and am very much concerned with making network transport protocols
which hide who is communicating with whom; the solution to the secure messaging problem
beyond just confidentiality. Messaging for real people with real sufficiently-global adversaries.

In mixnet security threat model our Noise cryptographic link layer is not so important
since we use the Sphinx cryptographic packet format. [2] However defense in depth suggests
we raise the cost of attacking our mix network. Each component mix in our mixnets should
communicate with each other via a noise based cryptographic link layer protocol.

It doesn't help us achieve the anonymity properties and it's not the main point of mixnets at all.
It is however important that our mixnet link layer use strong crypto and have a forward secret
handshake pattern. To that end Yawning Angel has designed our link layer and specified it here:

* https://github.com/katzenpost/docs/blob/master/specs/wire-protocol.rst


As soon as possible I would like to see this HFS extension be officially part of the Noise specification.
Perfect is the enemy of the good. What are we waiting for?

Weatherley, R., "Noise Extension: Hybrid Forward Secrecy", 1draft-5, June 2017,
https://github.com/noiseprotocol/noise_spec/blob/41d478d3dd97d77a6695f4d6cf6283e2830e9ca6/extensions/ext_hybrid_forward_secrecy.md


Yawning and I decided NOT to wait. Here's our fork of the flynn golang Noise library with
Yawning's HFS extension with NewHope-Simple over XX handshake pattern:

* https://github.com/katzenpost/noise

* godocs - https://godoc.org/github.com/katzenpost/noise#HFSFunc
           https://godoc.org/github.com/katzenpost/noise#HFSKey


AND here's our Noise based mixnet link layer protocol:


https://github.com/katzenpost/core/tree/master/wire


I should point out that I would like to get our fork merged upstream but currently
we cannot due to flynn's restrictions involving gpg signing with legal names. :\


Currently, I am developing a decryption mixnet framework in Rust and I am
very pleased with how amazing this language is. I am using Snow, the rust noise
implementation and I really like it. It looks like a very high quality library
and I would like to see PQ HFS added to it as soon as possible.

I'm working on it. Here's a ticket I opened to track this task:

* https://github.com/mcginty/snow/issues/39

I either want to add an XX_HFS that uses Kyber. I might also add the NewHope-Simple.
Currently I am in the middle of writing the "simple" modification to this NewHope rust crate:

* https://github.com/quininer/newhope
* https://github.com/david415/newhope/commits/simple.0

But it is probably less work to just make HFS Kyber work with Snow. Here's quininer's Kyber rust crate:

* https://github.com/quininer/kyber


I'd like to upgrade our noise fork to use Kyber as well. Of course Yawning
implemented Kyber in golang, here:

* https://git.schwanenlied.me/yawning/kyber


Once I've got Kyber HFS working in snow and in flynn noise then I can think about possibly
implementing other PQ crypto primitives like Three Bears or whatever. But really I should
spend more time actually working on high level mix network abstraction and not be so
distracted with the inadequacies of cryptography libraries. There is much work to be done.
Who wants to help?


Cheers,
David


[1] The Panoramix Project - https://panoramix-project.eu/
    The Katzenpost Software Project - https://github.com/katzenpost


[2] https://github.com/katzenpost/docs/blob/master/specs/sphinx.rst
    https://cypherpunks.ca/~iang/pubs/Sphinx_Oakland09.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20181116/7a014101/attachment.sig>

More information about the Noise mailing list