[noise] New draft: nonces and session derivation
Trevor Perrin
trevp at trevp.net
Thu Jun 25 01:21:13 PDT 2015
https://github.com/trevp/noise/blob/master/noise.md
Previous drafts had the ChaChaPoly ciphersuite rekey after every
encryption (i.e. replace the key based on some extra keystream
output). The AES-GCM ciphersuites would just increment a nonce.
I've changed both ciphersuites to use a 64-bit nonce which
auto-increments, but can also be manually set. Rekey is now a manual
option - you can "derive" a child session from the parent session.
This is general enough to also replace the "split" operation, so you
can use session-derivation either for creating multiple send/receive
streams post-handshake, or for per-message forward-secrecy.
The gains are:
- consistent properties across ciphersuites
- manual control of nonces for unordered, UDP-like protocols
- manual control of rekey for more flexibility
- 64-bit nonces to make clear these should be counters, not random values
- you can combine nonces and session-derivation to do interesting key
derivations, for example if you want a 128-bit random nonce (e.g. for
a NaCl-like crypto_box) you can do nonce / derive / nonce / derive,
mixing the nonce in 64 bits at a time.
Hopefully this fixes the limitations raised by Tiffany and Jason.
Feedback like that (trying to map this to use cases) is very welcome,
so send more!
Trevor
More information about the Noise
mailing list