[noise] Multi party psk

Trevor Perrin trevp at trevp.net
Wed Jun 7 16:30:06 PDT 2017

On Wed, Jun 7, 2017 at 10:00 PM, Jonathan Moore
<jmoore at spideroak-inc.com> wrote:
> Would it be safe to take a shared s and do an HKDF( s, pubkey_n ) = s_n to
> create a unique s for each sender in a multi party channel?

Hi Jonathan,

Interesting question!

(Small note on terminology: "s" isn't the best name here, because
Noise uses that for a static key pair or static public key.)

If a server has a master symmetric key and wants to derive a shared
PSK with clients based on HKDF or just HMAC(master_key, client_ID)
that seems fine.  Client_ID could be anything, including the client's
public key.

I guess this could be a way to authenticate clients without the server
having to store a database of all Client IDs?  For example, a pattern
like NKpsk2 could allow the client send its ID in the first payload,
and then the server mixes the derived PSK in when responding.


More information about the Noise mailing list