[noise] Draft extension: Ephemeral key obfuscation

str4d str4d at i2pmail.org
Sun May 27 22:18:08 PDT 2018 

Hi all,

This is the first of three draft extensions I've been working on, as
part of designing the new Noise-based TCP transport for I2P [0]. Note
that I'm using the term "extension" loosely - I don't know exactly how
these would best fit into the ecosystem.

I look forward to your feedback!

Cheers,
str4d

[0] https://geti2p.net/spec/proposals/111-ntcp-2

---

# Noise extension: Ephemeral key obfuscation

## Motivation

The Noise protocol encrypts static DH keys, but leaves all ephemeral
keys as plaintext (for simplicity, even if there is key material
available to encrypt with). As DH keys often have identifiable
structure, it can be desirable in some cases to deterministically
obfuscate the ephemeral keys in some fashion, so that the resulting
network byte stream is indistinguishable from random.

A secondary goal is for this obfuscation to have minimal latency
overhead where the handshake pattern makes it possible.

## Changes to the Noise specification

Two new pattern modifiers are defined:

- aesobfse: Obfuscation using AES256-CBC with a pre-shared key and IV.
  - Fast, but requires a pre-message pattern for the responder (being
    the party that needs to successfully decode first).
  - Compatible with any DH type.
  - The encoded byte stream is the encryption of the regular encoding of
    the DH key, with arbitrary (ignored) data appended to round to a
    multiple of 16 bytes.
  - No padding mode is applied (so if the key is already a multiple of
    16 bytes in length, no additional block is appended).
  - The last ciphertext block of the previous ephemeral in the handshake
    pattern is used as the IV for the next ephemeral (i.e. treating the
    ephemerals as a single plaintext stream).
  - [Meta-note: I'd love to hear alternative suggestions for a fast
    obfuscation mechanism.]

- elligobfse: Obfuscation using an Elligator-style encoding
  - Slow, but usable without any pre-message pattern.
  - Only compatible with DH types that support Elligator-style encoding.
  - The encoding format is defined separately for each DH type that
    supports it.
    - [Meta-note: I have not defined these, as I am not using them.]
  - [Meta-note: Defined as a pattern modifier because there are no
    modifiers defined for other parts of the Noise protocol name, and
    the alternative would be defining unique DH names for every DH and
    obfuscation combination, which seemed overly complicated.]

The following obfuscation functions (and associated constant) are defined:

- OBFUSCATE(obfuscator_state, public_key): Obfuscates public_key using
  obfuscator_state. Returns OBFUSCLEN obfuscated bytes. Mutates
  obfuscator_state.

- DEOBFUSCATE(obfuscator_state, data): Deobfuscates data using
  obfuscator_state. Returns the public key, unless the data is invalid,
  in which case an error is signaled to the caller. Mutates
  obfuscator_state.

- OBFUSCLEN = A constant specifying the size in bytes of obfuscated
  public keys.

If either pattern modifier is present, it (along with the DH type and
any pre-shared material) is used to initialize obfuscator_state.

WriteMessage() handling of the "e" token is altered to read:

- For "e": Sets e (which must be empty) to GENERATE_KEYPAIR(). If
  obfuscator_state exists, appends
  OBFUSCATE(obfuscator_state, e.public_key) to the buffer; else appends
  e.public_key to the buffer. Calls MixHash(e.public_key).

ReadMessage() handling of the "e" token is altered to read:

- For "e": If obfuscator_state exists, takes the next OBFUSCLEN bytes
  from the message as tmp, and sets re (which must be empty) to
  DEOBFUSCATE(obfuscator_state, tmp); else sets re (which must be empty)
  to the next DHLEN bytes from the message. Calls
  MixHash(re.public_key).

## Example implementation

https://github.com/str4d/snow/tree/aesobfse

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180528/68736631/attachment.sig>

More information about the Noise mailing list