[noise] Reworking PSK usage
Jason A. Donenfeld
Jason at zx2c4.com
Tue May 2 12:56:58 PDT 2017
On May 2, 2017 21:29, "Trevor Perrin" <trevp at trevp.net> wrote:
ck, k, temp = HKDF(ck, psk)
Actually, my suggestion and what I placed in that pull request is:
ck, temp, k = HKDF(ck, psk)
The reason is that there are cases in which k is overwritten again without
being used. In that case implementations can optimize by not having to
compute that last hmac. Functional languages like Haskell get this for
free. C++ implementations can get this for free with smart use of
constexpr. C implementations get this for free with careful use of gcc
constant propagation. The difference is trivial from a crypto point of view
but makes a nice difference in implementations.
We haven't broken compatibility since 2015, so this would require
updates for existing libraries. That's unfortunate but this does seem
like a more thoughtful and flexible approach, which would see
real-world use. I'd like to hear what the library developers think.
Luckily, I don't think PSK had gotten much use outside of WireGuard,
which is willing to change.
Noise mailing list
Noise at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise