[noise] Analysis of Noise KDF

Jason A. Donenfeld Jason at zx2c4.com
Thu Apr 28 15:09:58 PDT 2016

> (Note on "Dual-PRF": The HMAC proof in [BELLARE2006] assumes the
> compression function is a "Dual-PRF", i.e. a PRF when keyed either
> through the message, or through the IV.  Bellare uses this to go from
> NMAC -> HMAC, since the HMAC key is passed through the message input.
> Dual-PRF is a reasonable assumption, since hash functions are designed
> to be random if any part of the input is random, not just the IV.)

Keyed-BLAKE2 is also a Dual-PRF. Why not use HMAC-SHA2-n for the
SHA2-256 and SHA2-512 families, and Keyed-BLAKE2n for the BLAKE2s and
BLAKE2b constructions? You get a Dual-PRF out of SHA2 with HMAC. You
get a Dual-PRF out of BLAKE2 with its built in PRF mode.

> HKDF(ck, input):
>   temp       = HMAC(key=ck, input)
>   new_ck     = HMAC(key=temp, 0x01)
>   output_key = HMAC(key=temp, new_ck || 0x02)
>   return (new_ck, output_key)

I'm wondering, since Noise only ever needs two new values out of the
KDF, why not use something simpler like:

KDF(ck, input):
  temp       = HMAC(key=ck, input)
  new_ck     = HMAC(key=temp, [empty])
  output_key = HMAC(key=temp, new_ck)
  return (new_ck, output_key)

This is simpler and less expensive computationally, and also allows
for more even stack sizes. Put together, what I propose is:

KDF(ck, input):
  temp       = PRF(key=ck, input)
  new_ck     = PRF(key=temp, [empty])
  output_key = PRF(key=temp, new_ck)
  return (new_ck, output_key)

Where PRF is HMAC-SHA2 or Keyed-BLAKE2, depending on the cipher suite family.

More information about the Noise mailing list