[noise] Key exchange and DuplexWrap-like protocols [xpost messaging]
Trevor Perrin
trevp at trevp.net
Sun Feb 15 00:10:41 PST 2015
On Thu, Feb 12, 2015 at 3:03 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>
> Trevor redirected me to here after posting on Messaging. I wonder what you think of the following design for a simpler Noise-like key exchange and messaging protocol.
[...]
>
> Thoughts?
The Axolotl spec I'm writing is going to use the notion of a "PRF
chain", a sequence of keys defined by:
(K[i], output) = PRF(K[i-1], input)
So Axolotl is basically a PRF "root chain" that takes DH secrets as
inputs and produces new sending and receiving chains as outputs. The
sending and receiving chains process constant inputs and produce
message keys. The argument is that these chains have good properties:
* One-way: An attacker with knowledge of all inputs and some later
keys can't "reverse" the PRF to derive earlier keys.
* Secrecy-preserving: An attacker with control of all inputs but
without knowledge of earlier keys can't learn any information about
later keys.
* Entropy-accumulating: An attacker with knowledge of earlier keys
and some inputs can't compute later keys, provided the unknown inputs
add sufficient entropy.
It seems like DuplexWrap has the same or similar properties?
---
You're right that this is also similar to how Noise uses its KDF.
Anyways, I'm less interested in the particulars of Keyak or
DuplexWrap, more interested in how powerful this abstraction seems for
protocol design. I think it's worth considering whether Noise should
be more explicitly designed around this sort of notion, I'll say more
about that in Kenton's thread.
Trevor
More information about the Noise
mailing list