[noise] What needs forward secrecy? (for Disco)

David Wong davidwong.crypto at gmail.com
Sat Dec 2 06:02:57 PST 2017


> However, there are other cases:

I really fail to see the point of forward-secrecy for a few milli
seconds or a few handshake messages.
Haven't we reached a point where we're over-using forward secrecy?

* I understand the point of inter-session forward-secrecy. It is
completely possible that at some point some long term keys are leaked
(it has happened a lot in the past and continues to happen).
* I understand the point of intra-session forward-secrecy for long
lived connection. This is what signal does right, because a lot of
mobile text sessions span over many years.
* I do not understand the point of intra-handshake forward-secrecy, or
rather I see it as just "too much"


> The KDF has to be secure when given a single good input, even if
all other inputs are malicious.  For example, maybe you're given a
malicious PSK, or maybe someone sends you a malicious ephemeral public
key, to try somehow "cancel out" the "es" or "se" DH that performs
authentication.

you won't be able to cancel out anything by absorbing malicious inputs
(because you do not have access to other random secrets being
absorbed). Everything that is produced out of data we've absorbed via
the AD operation will still be output after a permutation so it will
effectively be random to anybody who doesn't have access to all the
secrets we've absorbed.


> Also, I think things are easier to analyze if they are consistent. In
this case, if we always RATCHET in MixKey, then every new KDF input
gets processed in the same way, using the same part of the permutation
(I think).

I see what you're saying but I still don't think it is important that
everything is alligned.
There are no "confusion" attacks here as the padding of Strobe makes
sure that every operation is absorbed verbosely. There is no
ambiguity. (I'm not sure this answers your concern.)


> While I thought Mike was right, it also seems more conservative and
simpler to analyze if we use the function in such a way that the key
material is always at the same location.

Isn't the problem with Gimli that it was not hermetic? (as opposed to keccak-f?)
I don't see these reasons as strong enough since we're using keccak-f,
but I've honestly not spent enough time there to know if we're right
or wrong. So I'm going to continue to read about the duplex
construction, and I'll read the Gimli paper, and I'll figure out
things then.

Thanks!
David


More information about the Noise mailing list