[noise] New branch: hkdf
Trevor Perrin
trevp at trevp.net
Fri Oct 2 18:00:08 PDT 2015
https://github.com/trevp/noise/blob/hkdf/noise.md
Offlist I've gotten feedback: Why not just use HKDF for key
derivation, since everyone else does: (QUIC, TLS 1.3, IPsec).
The current design is elegant in that it doesn't need separate cipher
keys or chain keys, and it can be optimized to a pretty minimal amount
of hash / cipher ops.
The counter-argument is:
* Everyone else uses HKDF, so it's going to be harder to make people
comfortable with a different design, and we don't benefit from the
analysis and review that HKDF gets
* These micro-optimizations don't matter
* The GETKEY() construct adds a bunch of complexity to explain that
we're using the AEAD, but also allowing you to skip the AEAD and just
use the cipher
So I spec'd out an HKDF version. Let's consider this and see if we prefer it.
Trevor
More information about the Noise
mailing list