[noise] ECDH Authentication - Signatures vs Authenticated Encryption

Jason A. Donenfeld Jason at zx2c4.com
Thu Jun 11 03:57:51 PDT 2015


On Thu, Jun 11, 2015 at 3:18 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:
>
> One risk here is that you end up re-using the same key on each
> connection, and in each direction.

If the AE algorithm you're using has any limit on the number of
> different messages you can safely encrypt under the same key


I do use a random 12 byte nonce (chacha20poly1305 construction), but still
- you raise a good point.
So -- what if I mix a public salt of considerable size into the mix during
key derivation?

1. client -> server:
   salt = random_bytes(32)
   key1 = HKDF(client longterm private key * server longterm public key,
salt)
   salt | AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)
2. server -> client:
   salt = random_bytes(32)
   key2 = HKDF(server longterm private key * client longterm public key,
salt)
   salt | AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)


Also - is this general approach a *valid* way of avoiding needing Ed25519
signatures?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150611/d409fe70/attachment.html>


More information about the Noise mailing list