[noise] New branch: "simpler"

Trevor Perrin trevp at trevp.net
Thu Sep 24 23:16:26 PDT 2015


I'm trying out some (substantive) simplifications in the "simpler" branch:

https://github.com/trevp/noise/blob/simpler/noise.md


1)  Encrypt ephemeral public keys (if k is initialized).  This means
static and ephemeral keys, and payloads, are treated the same, so we
can eliminate MixHash() and do hashing inside
SymmetricHandshakeState.EncryptAndHash() / DecryptAndHash().

A lot of patterns begin with an exchange of ephemerals, so this won't
change those.  In patterns it does affect, the cost of encrypting an
ephemeral is small.  There's not much security benefit besides
simplication, but maybe this makes it harder for some eavesdroppers to
see which pattern is being used, or exploit weak RNGs or something.


2)  Drop the special-case in MixKey(), which was:  "If has_key ==
False sets k = HASH(data)".  Now it does HMAC-HASH(GETKEY(k, n), data)
always, even if k and n are zeros.

If you really want to optimize this you could hard-code constants and
then this would only be 1 extra compression function.  Most people
won't bother with this, but this sort of micro-optimization doesn't
matter much, so maybe we should prefer simplicity.


3)  Change handshake hashing to use ciphertext instead of plaintext.
I was originally thinking that hashing plaintext makes it easier to
see we are binding the correct values, and the MACs we're using don't
leak information about their input.

But on further thought, it's easier to argue the other way: if h binds
all relevant public keys then encryption is deterministic and "1-to-1"
with plaintext, whereas the risk of h leaking plaintext information
through the MAC seems more of a concern.


4) Drop preshared-keys.  They complicate handshake hashing, because
they're an additional input that's difficult to cover by the hash.
Also, you can use ephemeral pre-messages and dhee to accomplish
basically the same thing.


Trevor


More information about the Noise mailing list