[noise] What needs forward secrecy? (for Disco)

Trevor Perrin trevp at trevp.net
Wed Nov 15 10:21:33 PST 2017

On Wed, Nov 15, 2017 at 3:26 PM, David Wong <davidwong.crypto at gmail.com> wrote:
> Disco uses AD() (instead of using a hash or hkdf) in several places in
> the Symmetric State to absorb things:
> * MixKey()
> * MixHash()
> * MixKeyAndHash()
> Here the important functions are MixKey() and MixKeyAndHash().
> It is my understanding that MixKey() is only called during the
> handshake, meaning that at this point forward secrecy is not an
> important or even wished property.

I think new crypto algorithms need to provide the same security
properties as existing crypto.

Noise certainly considers the security properties of individual
handshake messages to be important (e.g. tables in section 7.4 and
7.5).  It's totally plausible that an application could care about
forward-secrecy of, say, 0-RTT data, when considering a compromise
later in the handshake.

Luckily, this hashing is a small fraction of handshake time.


More information about the Noise mailing list