[noise] New branch: n0

Trevor Perrin trevp at trevp.net
Thu Oct 1 17:26:26 PDT 2015


Based on discussion with Jason, I think it would be good to initialize
*both* k and h to the handshake name:

 * k to prevent problems with reusing the same keys across different
protocols (which is inherently risky if you don't do careful analysis,
but we should mitigate the risk as much as we can)

 * h so that the final h value binds the entire handshake, so could be
used by higher-level protocols: e.g. signed by something like
ChannelID or a future Noise variant with signatures.

But GETKEY(k, ...) with handshake_name as k is ugly, using a known
fixed value as a cipher key gives no guarantees with standard PRP/PRF
assumptions about the cipher (e.g. two handshake names could give
equivalent cipher keys and this would not mean it's a weak cipher,
cipher security is evaluated wrt random keys).

The reason for the GETKEY() is because k is sometimes used for
encryption, so we want a value independent from previous encryptions.
But in this case k wasn't used before, so it would be better to skip
the GETKEY() and just do HMAC(k, ...) directly.

So I added a "n0" branch that special-cases MixKey():

 * If n==0 do HMAC-HASH(k, ...)
 * Else do HMAC-HASH(GETKEY(k), ...)

Besides MixKey() on the first DH, this means back-to-back DHs during
the handshake also skip the unnecessary GETKEY(), which is a slight
optimization.

https://github.com/trevp/noise/blob/n0/noise.md

Let's think on this for a bit.

Trevor


More information about the Noise mailing list