[noise] Noise+Strobe=Disco

David Wong davidwong.crypto at gmail.com
Sat Jun 17 05:36:00 PDT 2017

Hello all!

I've been looking at Strobe[1] a lot (a protocol framework that Mike
Hamburg announced on this mailing list a while ago). And I've been
thinking about merging Noise and Strobe together. Trev proposed the
name "Disco" which makes sense so I'll keep it, and I've then been
working on a "proposal" for Noise.
Of course this is by no mean a proposal to change Noise, as the
specification is already stable and great. But rather a proposal for
something new.

Strobe is a framework to build symmetric protocols (as opposed to
Noise that focus on the asymmetric side of things). It is based on the
duplex construction[2] and works on top of the keccak permutation.
Because of this, it allows users to have access to a myriad of
cryptographic functions (encryption, mac, prf, kdf, hash, ...) via a
single cryptographic primitive and a small codebase (470LOC (+100LOC
for keccak) on Mike's C implementation[3]). Calls to this primitive
can be made individually, or continuously. The latter creates a
protocol and every new operation relies on the result of all previous
operations. Sounds like Noise doesn't it? I have a "readable"
implementation of the framework for those interested[4], which can be
instantiated via the InitStrobe() function, and has a number of public
functions available (AD, PRF, KEY, send_ENC, ...).

This similarity with Noise is what pushed me to think about a merge.
I've started experimenting with it[5] and got rid of more than 50% of
the code of Noise. I think it would also do wonders to the Noise
specification and greatly simplify it. Of course you need to add the
specification and code of Strobe, but it is nothing compared to the
spec+code of SHA-256, Chacha20Poly1305, HMAC and HKDF (if you were to
instance your Noise protocol with these).

What I've done: I've removed all the symmetric cryptographic functions
and got rid of the CipherState as well as the SymmetricState. Now
Every token's operation is absorbed by one of Strobe's call. After a
handshake is completed, instead of Split()'ing, the main strobe state
is cloned and re-key'ed with two different strings: "initiator" and
"responder". The two peers can then use the two strobe states to write
and read on the secure channel, this way the symmetric part of the
protocol is also relying on all the previous messages.

I'd be interested to know what people think of this idea. (It is of
course highly experimental.)

Thanks for reading this!

[1]: https://strobe.sourceforge.io/specs/
[2]: http://sponge.noekeon.org/SpongeDuplex.pdf
[3]: https://github.com/mimoo/strobe-mirror/blob/master/strobe.c (this
is a mirror)
[4]: https://github.com/mimoo/StrobeGo/blob/master/strobe/strobe.go
[5]: https://github.com/mimoo/NoiseGo/blob/master/disco/disco.go

More information about the Noise mailing list