[noise] Extra Symmetric Key

Trevor Perrin trevp at trevp.net
Thu May 12 11:35:14 PDT 2016

There's a good discussion on tor-dev on adding a post-quantum key
exchange into the Ntor handshake:


The idea is simple, and similar to other proposals for "PQFS"
(post-quantum forward secrecy): run a post-quantum exchange in
parallel with a regular AKE, and then hash the keys together at the
end.  This means that if an attacker is recording traffic now, and
later figures out how to break the DH keys, they can't go back and
decrypt old traffic.  But we don't have to worry about the PQ
algorithm weakening things, if we do key derivation correctly.

(The world has a poor understanding of post-quantum algorithms
currently, and they mostly don't do DH, so it's premature to try to
define a "fully" post-quantum version of Noise where PQ algorithms are
used for authentication.  PQFS is a more reasonable goal in the near

I think we could add a hook for this pretty easily:

Allow an "extra symmetric key" (ESK) that would be an input to
Split(), and derives the transport keys as HKDF(ck, esk) instead of
just HKDF(ck, zero_len).

So you'd do your "extra" key agreement inside the Noise handshake
messages to derive an "esk", and feed an "esk" to Split() at the end.
Transport messages would be protected by the regular Noise handshake
plus whatever "extra" security is added by the esk.

I think I like this.  It's a small change, but only an addition - it
doesn't break anything, since we already have the extra HKDF to derive
transport keys.



More information about the Noise mailing list