[noise] New branch: "simpler"

Trevor Perrin trevp at trevp.net
Fri Sep 25 12:10:43 PDT 2015 

On Fri, Sep 25, 2015 at 12:08 PM, Stephen Touset <stephen at squareup.com> wrote:
> I might be wrong, but there doesn’t seem to be a way for has_key to
> ever become True in this branch.

Oops, fixed!

Trevor


>
>> On Sep 24, 2015, at 11:16 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> I'm trying out some (substantive) simplifications in the "simpler" branch:
>>
>> https://github.com/trevp/noise/blob/simpler/noise.md
>>
>>
>> 1)  Encrypt ephemeral public keys (if k is initialized).  This means
>> static and ephemeral keys, and payloads, are treated the same, so we
>> can eliminate MixHash() and do hashing inside
>> SymmetricHandshakeState.EncryptAndHash() / DecryptAndHash().
>>
>> A lot of patterns begin with an exchange of ephemerals, so this won't
>> change those.  In patterns it does affect, the cost of encrypting an
>> ephemeral is small.  There's not much security benefit besides
>> simplication, but maybe this makes it harder for some eavesdroppers to
>> see which pattern is being used, or exploit weak RNGs or something.
>>
>>
>> 2)  Drop the special-case in MixKey(), which was:  "If has_key ==
>> False sets k = HASH(data)".  Now it does HMAC-HASH(GETKEY(k, n), data)
>> always, even if k and n are zeros.
>>
>> If you really want to optimize this you could hard-code constants and
>> then this would only be 1 extra compression function.  Most people
>> won't bother with this, but this sort of micro-optimization doesn't
>> matter much, so maybe we should prefer simplicity.
>>
>>
>> 3)  Change handshake hashing to use ciphertext instead of plaintext.
>> I was originally thinking that hashing plaintext makes it easier to
>> see we are binding the correct values, and the MACs we're using don't
>> leak information about their input.
>>
>> But on further thought, it's easier to argue the other way: if h binds
>> all relevant public keys then encryption is deterministic and "1-to-1"
>> with plaintext, whereas the risk of h leaking plaintext information
>> through the MAC seems more of a concern.
>>
>>
>> 4) Drop preshared-keys.  They complicate handshake hashing, because
>> they're an additional input that's difficult to cover by the hash.
>> Also, you can use ephemeral pre-messages and dhee to accomplish
>> basically the same thing.
>>
>>
>> Trevor
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise
>
> --
> Stephen Touset
> stephen at squareup.com
>
>
>

More information about the Noise mailing list