[noise] Key exchange and DuplexWrap-like protocols [xpost messaging]

Trevor Perrin trevp at trevp.net
Fri Mar 13 19:20:28 PDT 2015


Mike pointed out Blinker, which uses Sponge-based crypto to implement
encryption based on an evolving shared state.  Interestingly it uses a
single cipher context, rather than one for each direction, both for
efficiency and an argued security gain (authenticates the interleaved
order of messages):

http://eprint.iacr.org/2013/772.pdf

Seems reasonable, and like something a Noise-like protocol should be
able to support.

Trevor


On Wed, Feb 18, 2015 at 11:38 AM, Michael Hamburg <mike at shiftleft.org> wrote:
>
>> On Feb 15, 2015, at 12:10 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> On Thu, Feb 12, 2015 at 3:03 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>>>
>>> Trevor redirected me to here after posting on Messaging.  I wonder what you think of the following design for a simpler Noise-like key exchange and messaging protocol.
>> [...]
>>>
>>> Thoughts?
>>
>>
>> The Axolotl spec I'm writing is going to use the notion of a "PRF
>> chain", a sequence of keys defined by:
>>
>> (K[i], output) = PRF(K[i-1], input)
>>
>> So Axolotl is basically a PRF "root chain" that takes DH secrets as
>> inputs and produces new sending and receiving chains as outputs.  The
>> sending and receiving chains process constant inputs and produce
>> message keys.  The argument is that these chains have good properties:
>>
>> * One-way:  An attacker with knowledge of all inputs and some later
>> keys can't "reverse" the PRF to derive earlier keys.
>>
>> * Secrecy-preserving:  An attacker with control of all inputs but
>> without knowledge of earlier keys can't learn any information about
>> later keys.
>>
>> * Entropy-accumulating: An attacker with knowledge of earlier keys
>> and some inputs can't compute later keys, provided the unknown inputs
>> add sufficient entropy.
>>
>> It seems like DuplexWrap has the same or similar properties?
>
> Similar.  It’s not one-way, unfortunately, and so needs careful application of the “forget” call.  But since its block function is intended to be stronger than a PRF, it also acts as a hash function and KDF.  That said, you can probably use more aggressive parameters with a keyed sponge construction than in an unkeyed one.
>
>
>> ---
>>
>> You're right that this is also similar to how Noise uses its KDF.
>>
>> Anyways, I'm less interested in the particulars of Keyak or
>> DuplexWrap, more interested in how powerful this abstraction seems for
>> protocol design. I think it's worth considering whether Noise should
>> be more explicitly designed around this sort of notion, I'll say more
>> about that in Kenton's thread.
>>
>> Trevor
>
> Yeah, I agree that Keyak and DuplexWrap themselves are less interesting than the overall idea of a chain like this.
>
> — Mike
>


More information about the Noise mailing list