[noise] Rekey

[Trevor Perrin]

Per [1] I'd like to add a "rekey" capability to Noise which replaces a
CipherState's key with a one-way function of the key, for forward
secrecy.

The application would decide if/when to rekey the transport
Cipherstates, e.g. after every Noise message, or every application
message, or when indicated by some application-layer signal.

This should be capable of handling a high frequency of rekeys (e.g.
after every message).

Assume a function F(k) that returns a new key based on an input key
(e.g. encrypting a block of zeros with k).  Some options:

(A)  k, n = F(k), 0

(B)  k, n = F(k), n

(C)  k, n = F(k) XOR n, n


B and C don't reset n so the number of encryptions is still < 2^64
across all rekeys.  I guess that puts a bound on how much entropy
might be lost by iterating a non-injective function?

C is the sort of trick I've seen people do to protect against short
cycles.  I've never been super-clear what analysis this is based on,
or whether it's just superstition?

Thoughts, from any cryptographers?

Trevor

[1] https://github.com/noisesocket/spec/blob/master/noise_socket.md