[noise] Notes from CRYPTO

Trevor Perrin trevp at trevp.net
Fri Sep 8 22:25:24 PDT 2017

On Fri, Sep 8, 2017 at 3:16 PM, David Wong <davidwong.crypto at gmail.com>

> What you describe is the SpongeWrap mode introduced in "Duplexing the
> sponge: single-pass authenticated encryption and other applications"

In Strobe terms, would this be:


(from [1], section 5.2)?

> The nice part about STROBE is that you
> can get rid of the nonce though, which is both safer and more
> efficient imo (hence why I'm pushing this for Disco).

Is your efficiency concern that the key and nonce would occupy space in the
"rate" at the start of each AEAD call, whereas if you use a duplex object
that is stateful between AEAD calls then the full "rate" is available for
application data, since the key gets absorbed into the "capacity" prior to
the AEAD calls, and there's no nonce?

Losing nonce-based AEAD substantially limits the functionality of Noise,
e.g. you couldn't implement WireGuard.  That's a big loss of functionality
for a small optimization.

If we wanted nonce-based AEAD *and* this optimization, couldn't we do
something like encode the key and nonce directly into the SHAKE256
"capacity" (which is 512 bits, so could easily hold a 256-bit key and
64-bit nonce).  Then we'd get nonce-based AEAD plus the same efficiency, I
think?  Or is that not allowed?


[1] https://eprint.iacr.org/2017/003.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170909/81c72d30/attachment.html>

More information about the Noise mailing list