[noise] Analysis of Noise KDF

Trevor Perrin trevp at trevp.net
Fri Apr 29 14:08:29 PDT 2016

On Fri, Apr 29, 2016 at 1:47 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Fri, Apr 29, 2016 at 2:29 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> Your proposal reduces the amount of hashing applied to inputs.  So the
>> current design has more security margin, if the hash turns out to be
>> bad.
> This isn't super compelling. It's like saying -- let's apply AES four times,
> in case it turns out to be bad. The primitive designers have hopefully
> already left a reasonable margin in case a few rounds are broken.

Ciphers have a simpler security model: they just have to be PRFs /
PRPs, and the "key" input is clearly labelled.

To model the hash in the KDF we have to use ideal assumptions, or make
assumptions about random salts, and PRFs when keyed with different
parts of the input, etc.

Hash functions also seem harder to design and get broken more (DES is
still pretty good, apart from keysize; but MD4, MD5, SHA-0, and SHA-1
aren't; though HMAC mitigates a lot of the damage, so that's a good
empirical argument for it).

So I think it's reasonable to be more cautious about hashes than ciphers.


More information about the Noise mailing list