[noise] New branch: "simpler"

Trevor Perrin trevp at trevp.net
Thu Oct 1 16:18:17 PDT 2015 

On Thu, Oct 1, 2015 at 2:07 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> If handshake_name is used as the initial k, as you've changed in response to
> my first inquiry, it doesn't _also_ need to be included in the initial h,

It should also be in h, for a couple reasons:
 * h should cover the entire handshake, so it can be used as a
to-be-signed / channel-binding value by higher-level protocols
 * The inclusion of name in k is ad-hoc:  Encryption algorithms aren't
the same as collision-resistant hash functions, so there's not the
same strong guarantee that future values of k will "bind" earlier
values

The second point is a little ugly, and makes me wanter to consider one
more change.  I'll put that in a separate thread.

Trevor



> because the first call to encrypt/getkey will use k, and thus h will be
> bound to the initial value of k, which is handshake_name. Therefore, I'd
> suggest k = handshake_name, h = empty.
>
> Jason
>
> On Oct 1, 2015 6:46 PM, "Trevor Perrin" <trevp at trevp.net> wrote:
>>
>> On Thu, Oct 1, 2015 at 3:00 AM, Jason A. Donenfeld <Jason at zx2c4.com>
>> wrote:
>> > With a premessage and a handshake name, things wind up looking like:
>> >
>> >     initiator.key = 32 bytes of zeros
>> >     initiator.hash = HASH("Noise WireGuard zx2c4 2015-09-30" ||
>> > responder.static_public)
>> >
>> > Why not instead initiate the key with the handshake name, instead of the
>> > hash? It seems like this would also go a bit further in reducing
>> > key-reuse
>> > too. So, instead:
>> >
>> >     initiator.key = "Noise WireGuard zx2c4 2015-09-30"
>> >     initiator.hash = HASH(responder.static_public)
>>
>>
>> I want h to bind everything, including the name, so it could later be
>> used for signatures etc.
>>
>> But now that we're not special-casing the first MixKey(), we might as
>> well get use out of it, and you're right that mixing the name into k
>> is a little more conservative, in case keys are shared with some other
>> protocol that doesn't take any reuse precautions.
>>
>> So I've changed revision 8 to set k = h = handshake_name.
>>
>> Trevor

More information about the Noise mailing list