[noise] What needs forward secrecy? (for Disco)

David Wong davidwong.crypto at gmail.com
Wed Nov 15 07:26:22 PST 2017

In Strobe there are two functions to key a protocol/session: KEY() and AD()

They have important distinctions:

* KEY() permute the state and start absorbing the key at index 0
* KEY() replaces bits of the state instead of "absorbing" them

The first point means that KEY is slowlier since it always has to
permute the state (whereas AD will only permute if it reaches the end
of the writable state).
The second point allows KEY to "remove/replace" bits of the state,
effectively discarding a bunch of bits that could have been useful for
an attacker to retrieve a previous state. That property is commonly
called forward secrecy.

Disco uses AD() (instead of using a hash or hkdf) in several places in
the Symmetric State to absorb things:

* MixKey()
* MixHash()
* MixKeyAndHash()

Here the important functions are MixKey() and MixKeyAndHash().
It is my understanding that MixKey() is only called during the
handshake, meaning that at this point forward secrecy is not an
important or even wished property. For this reason I have not used
KEY() to replace the symmetricState behavior of Noise. I think Trevor
pointed out that it should be KEY() nonetheless because of future
updates on the Noise specification. It would be good to have clear
explanations on that here.

I have not implemented PSK features yet, so I'm less confident here,
but it seems like MixKeyAndHash() is only used as part of the
handshake when a PSK-mode is enabled. For this reason, it seems like
the use of KEY() would be once more overkill. I'd be happy to receive
some thoughts on that subject as well.


More information about the Noise mailing list