[noise] Notes from CRYPTO

Trevor Perrin trevp at trevp.net
Fri Sep 8 06:14:54 PDT 2017

Hi all,

At the CRYPTO conference I discussed Noise with several people, in
particular Peter Schwabe, Douglas Stebila, and Mike Hamburg.

Here's some points that emerged about post-quantum crypto (like Kyber), and
STROBE (as in David Wong's "Disco" approach to Noise + Strobe):

Post-quantum algorithms and XOFs
Many post-quantum algorithms require a sort of KDF or XOF ("extensible
output function") which takes a small symmetric key (e.g. 32 bytes) and
expands it to a larger number of bytes.  For example, Kyber specifies
SHAKE-128, a Keccak-based XOF [1].

It's not clear how we're going to harmonize the symmetric-crypto inside
these PQ algorithms with the symmetric-crypto in the rest of Noise.  For
example, if we follow the Kyber spec literally, then Kyber would *always*
use SHAKE-128 internally, regardless of the hash choice made for the Noise

But if you're doing, say, Noise_XX+hfs_25519+Kyber_AESGCM_SHA256, you might
prefer to use SHA256 internally to Kyber.  This requires turning SHA256
into an XOF, which isn't hard with HMAC or HKDF, but leads to questions:
 - Do we need to coordinate this with Kyber authors (and other PQ
authors?)  Or will these PQ algorithms have an interface for plugging in an
external XOF?
 - Are there key-reuse / domain separation concerns if we allow a static PQ
key to be used with different XOFs?
 - If we specify an HMAC or HKDF construction, do we apply that
consistently to all hash functions (annoying some people again that we're
not using the Keccak and BLAKE2 designers' chosen XOF), or do we
allow/require this to be specialized for certain hashes?

There's a lot of options, so it's hard to know what's best.  Any thoughts
are welcome.

 * For nonce-based AEAD, I think it seemed simplest to just copy the Strobe
state containing the key, then feed in the nonce ("AD" operation?),
followed by plaintext or ciphertext.

 * Mike didn't seem to think that Strobe's "RATCHET" operation was ideal
for Noise's Rekey.  I didn't follow all his reasoning, but Section B.2 of
[2] discusses one limitation to "RATCHET", and mentions just using "PRF" to
output a new key, which might suffice.


[1] https://eprint.iacr.org/2017/634.pdf
[2] https://eprint.iacr.org/2017/003.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170908/e9ddf4f8/attachment.html>

More information about the Noise mailing list