[noise] What needs forward secrecy? (for Disco)
David Wong
davidwong.crypto at gmail.com
Mon Nov 20 09:58:27 PST 2017
> I think new crypto algorithms need to provide the same security
> properties as existing crypto.
That's the reason why SHA-3 was so slow to begin with. If a security
is not needed I don't see why it should persist.
> Noise certainly considers the security properties of individual
> handshake messages to be important (e.g. tables in section 7.4 and
> 7.5). It's totally plausible that an application could care about
> forward-secrecy of, say, 0-RTT data, when considering a compromise
> later in the handshake.
The Split() function introduces forward secrecy with the RATCHET()
function. Would this be enough for 0-RTT? It's certainly enough for
other scenarios.
> Luckily, this hashing is a small fraction of handshake time.
True. But I still don't see strong reasons to introduce it.
David
More information about the Noise
mailing list