[noise] Making sender pubkey encryption more consistent

Trevor Perrin trevp at trevp.net
Wed Jul 30 21:22:56 PDT 2014

It's sort of inconsistent how a Noise box contains:
 (a) the sender's public-key encrypted WITHOUT padding with a MAC
 (b) the actual contents encrypted WITH padding and a MAC

The sender's public-key doesn't really need padding, but it might be
simpler if we just used the same padded-encryption for both.

Here's what that might look like, what do people think? -

struct {
    bytes encrypted_contents[contents_len];
    bytes encrypted_padding[padding_len];
    bytes encrypted_padding_len[4];
    bytes mac[MAC_LEN];
} NoiseEncryption;

struct {
    NoiseEncryption header;  # sender public key
    NoiseEncryption body;    # application data
} NoiseBox;

noise_encrypt(cc, pad_len, contents, authtext=""):
  plaintext = contents || random(pad_len) || (uint32_little_endian)pad_len
  encryption = ENCRYPT(cc, plaintext, authtext)
  return encryption

noise_box(eph_key, sender_key, target_pubkey, pad_len1, pad_len2, app_data,
          kdf_num, cv):
  dh1 = DH(eph_key.priv, target_pubkey)
  dh2 = DH(sender_key.priv, target_pubkey)
  cv1 || cc1 = KDF(dh1, cv,  SUITE_NAME || (byte)kdf_num,       CV_LEN + CC_LEN)
  cv2 || cc2 = KDF(dh2, cv1, SUITE_NAME || (byte)(kdf_num + 1), CV_LEN + CC_LEN)
  header = noise_encrypt(cc1, pad_len1, sender_key.pub, target_pubkey
|| eph_key.pub)
  body   = noise_encrypt(cc2, pad_len2, app_data,       target_pubkey || header)
  return (header || body), cv2



More information about the Noise mailing list