[noise] Deriving additional keys

Rhys Weatherley rhys.weatherley at gmail.com
Sat Oct 8 18:03:38 PDT 2016

On Sun, Oct 9, 2016 at 6:57 AM, Trevor Perrin <trevp at trevp.net> wrote:

> To derive an "additional" key or pair of keys, do:
>   ki : initiator's post-handshake encryption key
>   name : ASCII string zero-padded to 32 bytes
>   K = ENCRYPT(ki, nonce=2^64-1, ad=zerolen, plaintext=zeros[32])[0..32]
>   return HKDF(K, name)

Why does the name need to be padded?  The hash that HKDF is based on will
pad anyway.  Then the name can be arbitrary-length.

I was thinking that rather than the PSK being the "resumption key", "K"
could be the resumption key from which the PSK's are generated for
follow-up sessions:

    PSK = HKDF(K, name || nonce)

Where "nonce" is a randomly generated value and/or timestamp sent as part
of the prologue for the new session.  I was thinking that, but then I
realised that the PSK is already nonce'd with the initiator's ephemeral
public key.  So, ignore that. :-)

However, my thought experiment does imply that "name" or parts thereof may
not be known until the new session starts if it contains session-specific

    PSK = HKDF(K, name || context)

So "K" might be the resumption key after all.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161009/65b39bc8/attachment.html>

More information about the Noise mailing list