[noise] New branch: "simpler"

Stephen Touset stephen at squareup.com
Fri Sep 25 12:08:01 PDT 2015 

I might be wrong, but there doesn’t seem to be a way for has_key to
ever become True in this branch.

> On Sep 24, 2015, at 11:16 PM, Trevor Perrin <trevp at trevp.net> wrote:
> 
> I'm trying out some (substantive) simplifications in the "simpler" branch:
> 
> https://github.com/trevp/noise/blob/simpler/noise.md
> 
> 
> 1)  Encrypt ephemeral public keys (if k is initialized).  This means
> static and ephemeral keys, and payloads, are treated the same, so we
> can eliminate MixHash() and do hashing inside
> SymmetricHandshakeState.EncryptAndHash() / DecryptAndHash().
> 
> A lot of patterns begin with an exchange of ephemerals, so this won't
> change those.  In patterns it does affect, the cost of encrypting an
> ephemeral is small.  There's not much security benefit besides
> simplication, but maybe this makes it harder for some eavesdroppers to
> see which pattern is being used, or exploit weak RNGs or something.
> 
> 
> 2)  Drop the special-case in MixKey(), which was:  "If has_key ==
> False sets k = HASH(data)".  Now it does HMAC-HASH(GETKEY(k, n), data)
> always, even if k and n are zeros.
> 
> If you really want to optimize this you could hard-code constants and
> then this would only be 1 extra compression function.  Most people
> won't bother with this, but this sort of micro-optimization doesn't
> matter much, so maybe we should prefer simplicity.
> 
> 
> 3)  Change handshake hashing to use ciphertext instead of plaintext.
> I was originally thinking that hashing plaintext makes it easier to
> see we are binding the correct values, and the MACs we're using don't
> leak information about their input.
> 
> But on further thought, it's easier to argue the other way: if h binds
> all relevant public keys then encryption is deterministic and "1-to-1"
> with plaintext, whereas the risk of h leaking plaintext information
> through the MAC seems more of a concern.
> 
> 
> 4) Drop preshared-keys.  They complicate handshake hashing, because
> they're an additional input that's difficult to cover by the hash.
> Also, you can use ephemeral pre-messages and dhee to accomplish
> basically the same thing.
> 
> 
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

-- 
Stephen Touset
stephen at squareup.com

More information about the Noise mailing list