[noise] Key exchange and DuplexWrap-like protocols [xpost messaging]

Michael Hamburg mike at shiftleft.org
Wed Feb 18 11:38:00 PST 2015 

> On Feb 15, 2015, at 12:10 AM, Trevor Perrin <trevp at trevp.net> wrote:
> 
> On Thu, Feb 12, 2015 at 3:03 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>> 
>> Trevor redirected me to here after posting on Messaging.  I wonder what you think of the following design for a simpler Noise-like key exchange and messaging protocol.
> [...]
>> 
>> Thoughts?
> 
> 
> The Axolotl spec I'm writing is going to use the notion of a "PRF
> chain", a sequence of keys defined by:
> 
> (K[i], output) = PRF(K[i-1], input)
> 
> So Axolotl is basically a PRF "root chain" that takes DH secrets as
> inputs and produces new sending and receiving chains as outputs.  The
> sending and receiving chains process constant inputs and produce
> message keys.  The argument is that these chains have good properties:
> 
> * One-way:  An attacker with knowledge of all inputs and some later
> keys can't "reverse" the PRF to derive earlier keys.
> 
> * Secrecy-preserving:  An attacker with control of all inputs but
> without knowledge of earlier keys can't learn any information about
> later keys.
> 
> * Entropy-accumulating: An attacker with knowledge of earlier keys
> and some inputs can't compute later keys, provided the unknown inputs
> add sufficient entropy.
> 
> It seems like DuplexWrap has the same or similar properties?

Similar.  It’s not one-way, unfortunately, and so needs careful application of the “forget” call.  But since its block function is intended to be stronger than a PRF, it also acts as a hash function and KDF.  That said, you can probably use more aggressive parameters with a keyed sponge construction than in an unkeyed one.


> ---
> 
> You're right that this is also similar to how Noise uses its KDF.
> 
> Anyways, I'm less interested in the particulars of Keyak or
> DuplexWrap, more interested in how powerful this abstraction seems for
> protocol design. I think it's worth considering whether Noise should
> be more explicitly designed around this sort of notion, I'll say more
> about that in Kenton's thread.
> 
> Trevor

Yeah, I agree that Keyak and DuplexWrap themselves are less interesting than the overall idea of a chain like this.

— Mike

More information about the Noise mailing list