[noise] Questions regarding the Additional Symmetric Keys extension

Mathias Hall-Andersen mathias at hall-andersen.dk
Tue Jul 10 07:39:01 PDT 2018 

Hi Noise

I am drafting a proposal for the "Additional Symmetric Keys"
Noise extension, based on Trevor's summary of the Resumption PSK discussion:
https://moderncrypto.org/mail-archive/noise/2018/001713.html

During this process a number of questions / comments came up:


Why do we want to update ask_master after split?


We should use the full output of HKDF in "invoke_chain" rather than truncate to 32 bytes
to accommodate the use of 512-bit hash functions with the goal that the output keys
should be capable of serving as collision-resistant hashes of the session transcript
(they should offer the same level of security as "h").

If we want the behavior of "invoke" to be independent of the hash function, 
we could rename "invoke_chain" to "read_chain" and model it using a "streaming API", 
where an arbitrary number of bytes can be read out (which becomes HKDF calls underneath).


Is there a reason why we can not derive the ask_master only from the chaining key?
Which would simplify the design considerably, by:

- Avoid having to modify MixKey + MixKeyAndHash
- Omitting the EnableASK method from the API (since there is no overhead unless create_chains is called).
- Save HKDF calls when ASK is only used after a single MixKey/MixKeyAndHash call.
- Allow us to remove the enable_ask flag and ask_master variable from the state
- (optional) Allow us to enable the extraction of material prior to any
  MixKey/MixKeyAndHash call, for use in obfuscation.

One option might be to define create_chains as follows:

"""
create_chains(labels):
    ask_master = HKDF(ck, zerolen, info="ask", 1)
    ask_chains = {}
    for label in labels:
        ask_chains[label] = HKDF(ask_master, h || label, 1)
    erase ask_master
"""

Since the chaining key is deleted after Split(), 
users would have to call create_chains before Split(),
but would still be able to invoke chains post Split().

I apologize for not getting involved in the ASK / Resumption PSK discussion earlier.

The document (work in progress) can be found at:
https://github.com/rot256/noise-extension-ask


Best Regards
Mathias Hall-Andersen

More information about the Noise mailing list