[noise] Another spec issue: remote ephemeral keys

Rhys Weatherley rhys.weatherley at gmail.com
Sat Apr 16 03:07:38 PDT 2016

Just to beat this dead horse one more time before I shut up. :-)

I wrote a test to investigate the impact of null keys (ephemeral or static)
on the chaining key.  For this purpose I classify "entropy collapse" as a
scenario where all DH outputs are the null value, making the chaining key
completely deterministic even if some of the inputs were non-null.

I found about 40 scenarios in the existing handshake patterns where entropy
collapse can occur, listed at the end of this message.  An example:

Noise_XK(s, rs): e s

In this case, if "e" and "s" are both null, then all DH outputs will be
null even if "re" and "rs" were non-null.  Some of the scenarios require
mutual collaboration (e.g. "e re") but quite a lot occur when only one side
is outputting nulls.  No matter what the other side does, it doesn't help
get back to an unpredictable chaining key.

If null ephemeral keys are banned, then the list reduces to only 3
scenarios, all one-way patterns.



Scenarios where entropy collapse occurs if null ephemeral keys are banned:

Noise_N(rs): rs
Noise_X(s, rs): rs
Noise_K(s, rs): rs

Scenarios where entropy collapse can occur due to null keys:

Noise_N(rs): e
Noise_N(rs): rs

Noise_X(s, rs): e s
Noise_X(s, rs): rs

Noise_K(s, rs): e s
Noise_K(s, rs): rs

Noise_NN(): e
Noise_NN(): re

Noise_NK(rs): e
Noise_NK(rs): re rs

Noise_NX(rs): e
Noise_NX(rs): re rs

Noise_XN(s): e s
Noise_XN(s): re

Noise_XK(s, rs): e s
Noise_XK(s, rs): e re
Noise_XK(s, rs): re rs

Noise_XX(s, rs): e s
Noise_XX(s, rs): e re
Noise_XX(s, rs): re rs

Noise_XR(s, rs): e s
Noise_XR(s, rs): e re
Noise_XR(s, rs): re rs

Noise_KN(s): e s
Noise_KN(s): re

Noise_KK(s, rs): e s
Noise_KK(s, rs): re rs

Noise_KX(s, rs): e s
Noise_KX(s, rs): e re
Noise_KX(s, rs): re rs

Noise_IN(s): e s
Noise_IN(s): re

Noise_IK(s, rs): e s
Noise_IK(s, rs): re rs

Noise_IX(s, rs): e s
Noise_IX(s, rs): e re
Noise_IX(s, rs): re rs

Noise_XXfallback(s, rs, re): e s
Noise_XXfallback(s, rs, re): e re
Noise_XXfallback(s, rs, re): re rs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160416/b46531cf/attachment.html>

More information about the Noise mailing list