[noise] Analysis of Noise KDF
Jason A. Donenfeld
Jason at zx2c4.com
Fri Apr 29 02:51:44 PDT 2016
On Fri, Apr 29, 2016 at 2:29 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> > This is simpler and less expensive computationally
>
> It's not simpler
>
Here's specifically what I mean. Here is HKDF:
static void kdf(u8 *first_dst, u8 *second_dst, const u8 *data,
size_t first_len, size_t second_len, size_t data_len,
const u8 chaining_key[NOISE_HASH_LEN])
{
u8 secret[BLAKE2S_OUTBYTES];
u8 output[BLAKE2S_OUTBYTES + 1];
BUG_ON(first_len > BLAKE2S_OUTBYTES || second_len > BLAKE2S_OUTBYTES);
/* Extract entropy from data into secret */
blake2s_hmac(secret, data, chaining_key, BLAKE2S_OUTBYTES, data_len,
NOISE_HASH_LEN);
/* Expand first key: key = secret, data = 0x1 */
output[0] = 1;
blake2s_hmac(output, output, secret, BLAKE2S_OUTBYTES, 1, BLAKE2S_OUTBYTES);
memcpy(first_dst, output, first_len);
/* Expand second key: key = secret, data = first-key || 0x2 */
output[BLAKE2S_OUTBYTES] = 2;
blake2s_hmac(output, output, secret, BLAKE2S_OUTBYTES, BLAKE2S_OUTBYTES +
1, BLAKE2S_OUTBYTES);
memcpy(second_dst, output, second_len);
/* Clear sensitive data from stack */
memzero_explicit(secret, BLAKE2S_OUTBYTES);
memzero_explicit(output, BLAKE2S_OUTBYTES + 1);
}
And here is the more simpler alternative I suggested:
static void kdf(u8 *first_dst, u8 *second_dst, const u8 *data,
size_t first_len, size_t second_len, size_t data_len,
const u8 chaining_key[NOISE_HASH_LEN])
{
u8 secret[BLAKE2S_OUTBYTES];
BUG_ON(first_len > BLAKE2S_OUTBYTES || second_len > BLAKE2S_OUTBYTES);
/* Extract entropy from data into secret */
blake2s_hmac(secret, data, chaining_key, BLAKE2S_OUTBYTES, data_len,
NOISE_HASH_LEN);
/* Expand first key: key = secret, data = [empty] */
blake2s_hmac(first_dst, NULL, secret, BLAKE2S_OUTBYTES, 0,
BLAKE2S_OUTBYTES);
/* Expand second key: key = secret, data = first-key */
blake2s_hmac(second_dst, first_dst, secret, BLAKE2S_OUTBYTES,
BLAKE2S_OUTBYTES, BLAKE2S_OUTBYTES);
/* Clear sensitive data from stack */
memzero_explicit(secret, BLAKE2S_OUTBYTES);
}
Less stack, less copying --> faster, simpler.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160429/b13ed7b3/attachment.html>
More information about the Noise
mailing list