[noise] Analysis of Noise KDF
Jason A. Donenfeld
Jason at zx2c4.com
Thu Apr 28 15:09:58 PDT 2016
> (Note on "Dual-PRF": The HMAC proof in [BELLARE2006] assumes the
> compression function is a "Dual-PRF", i.e. a PRF when keyed either
> through the message, or through the IV. Bellare uses this to go from
> NMAC -> HMAC, since the HMAC key is passed through the message input.
> Dual-PRF is a reasonable assumption, since hash functions are designed
> to be random if any part of the input is random, not just the IV.)
Keyed-BLAKE2 is also a Dual-PRF. Why not use HMAC-SHA2-n for the
SHA2-256 and SHA2-512 families, and Keyed-BLAKE2n for the BLAKE2s and
BLAKE2b constructions? You get a Dual-PRF out of SHA2 with HMAC. You
get a Dual-PRF out of BLAKE2 with its built in PRF mode.
> HKDF(ck, input):
> temp = HMAC(key=ck, input)
> new_ck = HMAC(key=temp, 0x01)
> output_key = HMAC(key=temp, new_ck || 0x02)
> return (new_ck, output_key)
I'm wondering, since Noise only ever needs two new values out of the
KDF, why not use something simpler like:
KDF(ck, input):
temp = HMAC(key=ck, input)
new_ck = HMAC(key=temp, [empty])
output_key = HMAC(key=temp, new_ck)
return (new_ck, output_key)
This is simpler and less expensive computationally, and also allows
for more even stack sizes. Put together, what I propose is:
KDF(ck, input):
temp = PRF(key=ck, input)
new_ck = PRF(key=temp, [empty])
output_key = PRF(key=temp, new_ck)
return (new_ck, output_key)
Where PRF is HMAC-SHA2 or Keyed-BLAKE2, depending on the cipher suite family.
More information about the Noise
mailing list