[noise] Notes from CRYPTO

David Wong davidwong.crypto at gmail.com
Fri Sep 8 08:16:04 PDT 2017

Hope you are all enjoying CRYPTO!

>  For nonce-based AEAD, I think it seemed simplest to just copy the Strobe state containing the key, then feed in the nonce ("AD" operation?), followed by plaintext or ciphertext.

What you describe is the SpongeWrap mode introduced in "Duplexing the
sponge: single-pass authenticated encryption and other applications"
which sounds like a good idea. Otherwise Keyak, Ketje and the SIV
construction are also possible. The nice part about STROBE is that you
can get rid of the nonce though, which is both safer and more
efficient imo (hence why I'm pushing this for Disco).

> Mike didn't seem to think that Strobe's "RATCHET" operation was ideal for Noise's Rekey.  I didn't follow all his reasoning, but Section B.2 of [2] discusses one limitation to "RATCHET", and mentions just using "PRF" to output a new key, which might suffice.

I'm curious about the reasoning of Mike. If I understand correctly,
Noise's REKEY only purpose is to introduce forward-secrecy which is
exactly what RATCHET does in STROBE. I'd be interested to hear more
about it.


More information about the Noise mailing list