[noise] New branch: "simpler"
Stephen Touset
stephen at squareup.com
Fri Sep 25 12:08:01 PDT 2015
I might be wrong, but there doesn’t seem to be a way for has_key to
ever become True in this branch.
> On Sep 24, 2015, at 11:16 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> I'm trying out some (substantive) simplifications in the "simpler" branch:
>
> https://github.com/trevp/noise/blob/simpler/noise.md
>
>
> 1) Encrypt ephemeral public keys (if k is initialized). This means
> static and ephemeral keys, and payloads, are treated the same, so we
> can eliminate MixHash() and do hashing inside
> SymmetricHandshakeState.EncryptAndHash() / DecryptAndHash().
>
> A lot of patterns begin with an exchange of ephemerals, so this won't
> change those. In patterns it does affect, the cost of encrypting an
> ephemeral is small. There's not much security benefit besides
> simplication, but maybe this makes it harder for some eavesdroppers to
> see which pattern is being used, or exploit weak RNGs or something.
>
>
> 2) Drop the special-case in MixKey(), which was: "If has_key ==
> False sets k = HASH(data)". Now it does HMAC-HASH(GETKEY(k, n), data)
> always, even if k and n are zeros.
>
> If you really want to optimize this you could hard-code constants and
> then this would only be 1 extra compression function. Most people
> won't bother with this, but this sort of micro-optimization doesn't
> matter much, so maybe we should prefer simplicity.
>
>
> 3) Change handshake hashing to use ciphertext instead of plaintext.
> I was originally thinking that hashing plaintext makes it easier to
> see we are binding the correct values, and the MACs we're using don't
> leak information about their input.
>
> But on further thought, it's easier to argue the other way: if h binds
> all relevant public keys then encryption is deterministic and "1-to-1"
> with plaintext, whereas the risk of h leaking plaintext information
> through the MAC seems more of a concern.
>
>
> 4) Drop preshared-keys. They complicate handshake hashing, because
> they're an additional input that's difficult to cover by the hash.
> Also, you can use ephemeral pre-messages and dhee to accomplish
> basically the same thing.
>
>
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
--
Stephen Touset
stephen at squareup.com
More information about the Noise
mailing list