[noise] Rekey
Trevor Perrin
trevp at trevp.net
Tue Mar 14 16:24:07 PDT 2017
Per [1] I'd like to add a "rekey" capability to Noise which replaces a
CipherState's key with a one-way function of the key, for forward
secrecy.
The application would decide if/when to rekey the transport
Cipherstates, e.g. after every Noise message, or every application
message, or when indicated by some application-layer signal.
This should be capable of handling a high frequency of rekeys (e.g.
after every message).
Assume a function F(k) that returns a new key based on an input key
(e.g. encrypting a block of zeros with k). Some options:
(A) k, n = F(k), 0
(B) k, n = F(k), n
(C) k, n = F(k) XOR n, n
B and C don't reset n so the number of encryptions is still < 2^64
across all rekeys. I guess that puts a bound on how much entropy
might be lost by iterating a non-injective function?
C is the sort of trick I've seen people do to protect against short
cycles. I've never been super-clear what analysis this is based on,
or whether it's just superstition?
Thoughts, from any cryptographers?
Trevor
[1] https://github.com/noisesocket/spec/blob/master/noise_socket.md
More information about the Noise
mailing list