[noise] 5.8. Deriving a new session

Jason A. Donenfeld Jason at zx2c4.com
Sun Jul 5 18:07:58 PDT 2015


On Mon, Jul 6, 2015 at 2:57 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> I'm not sure how that would work, remember the nonce can be set
> explicitly based on 64 bits.  Anyways, the nonce just needs to be
> unique, randomizing those bits adds complexity but little benefit.

Fair enough. Speaking of little benefit, you write "k: A symmetric key
for the cipher algorithm specified in the ciphersuite. This value must
be at least 256 bits in length for security reasons." This is
surprising, because you also recommend Curve25519, which provides
"128-bit security", whatever that means exactly. Wouldn't a more
reasonable k minimum length be the lowest common denominator?

> You could put your explicit nonce in the prologue to get additional
> authentication, but it's not necessary.

That's what I assumed, but you never know -- seems like there are
pitfalls up every alleyway.


More information about the Noise mailing list