[noise] Reworking PSK usage

Jason A. Donenfeld Jason at zx2c4.com
Tue May 2 12:56:58 PDT 2017

On May 2, 2017 21:29, "Trevor Perrin" <trevp at trevp.net> wrote:

  ck, k, temp = HKDF(ck, psk)

Actually, my suggestion and what I placed in that pull request is:

  ck, temp, k = HKDF(ck, psk)

The reason is that there are cases in which k is overwritten again without
being used. In that case implementations can optimize by not having to
compute that last hmac. Functional languages like Haskell get this for
free. C++ implementations can get this for free with smart use of
constexpr. C implementations get this for free with careful use of gcc
constant propagation. The difference is trivial from a crypto point of view
but makes a nice difference in implementations.

We haven't broken compatibility since 2015, so this would require
updates for existing libraries.  That's unfortunate but this does seem
like a more thoughtful and flexible approach, which would see
real-world use.  I'd like to hear what the library developers think.
Luckily, I don't think PSK had gotten much use outside of WireGuard,
which is willing to change.


Noise mailing list
Noise at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170502/98754b12/attachment.html>

More information about the Noise mailing list