[noise] Deriving additional keys
Trevor Perrin
trevp at trevp.net
Sat Oct 8 13:57:36 PDT 2016
We had an earlier thread on "Resumption PSKs":
https://moderncrypto.org/mail-archive/noise/2016/000659.html
The question was: can we derive a symmetric key from an earlier
session, for use as PSK with a subsequent handshake? (Or course, we
could just transmit the PSK, but deriving it is a little more
efficient). I had a proposal, but I think this is a better one:
To derive an "additional" key or pair of keys, do:
ki : initiator's post-handshake encryption key
name : ASCII string zero-padded to 32 bytes
K = ENCRYPT(ki, nonce=2^64-1, ad=zerolen, plaintext=zeros[32])[0..32]
return HKDF(K, name)
For resumption, we could recommend using an empty name, and taking the
first HKDF output as the PSK, and the second HKDF output as a label
that can be attached to the first handshake message (somehow) to
indicate which PSK to use.
Some nice points:
* K can be reused with different names, so if you want to generate
lots of resumption PSKs, or keys for other purposes, that's easy to
do.
* K only needs to be calculated if additional key derivation is used,
otherwise this is a "zero cost" feature. Alternatively we could
derive K from the ck at the time of Split(), but then we have to know
in advance whether it will be needed.
Trevor
More information about the Noise
mailing list