[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS

Trevor Perrin trevp at trevp.net
Wed Nov 11 13:16:49 PST 2015


On Wed, Nov 11, 2015 at 3:22 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> It occurred to me that Noise could benefit from having a pre-shared secret
> option, which could be in use by multiple peers at once. It would provide
> two nice properties:
>
> 1. If a pre-shared secret is provided, MixKey(pre-shared secret) is called
> during handshake initialization.


It's not a trivial addition:

 * A Noise handshake specifies a fixed sequence of MixKey / MixHash
steps, so we can't add an optional MixKey to a handshake.  This would
require either specifying "preshared_key" versions of the handshakes,
or always performing an extra MixKey().

 * h is intended to bind *all* previous data, but also to be
non-secret, so we'd need to MixHash() some value derived from the
pre-shared key.


More importantly, we can already use "pre-messages" to express key
distribution prior to the handshake.

So instead of a pre-shared symmetric key, the parties could use
pre-shared ephemeral public keys, and you could augment any handshake
to a "pse" version like this:

Noise_IK(s, rs):
  <- s
  ------
  -> e, dhes, s, dhss
  <- e, dhee, dhes


Noise_IK_pse(s, rs):
  -> e
  <- s, e
  ------
  -> dhee, e, dhes, s, dhss
  <- e, dhee, dhes


This forces people to do the pre-sharing with public keys instead of
symmetric keys or passwords, but that has security benefits, and it
keeps the design cleaner by reusing the pattern concept, instead of
introducing something new.


Trevor


More information about the Noise mailing list