[noise] Symmetric-crypto overhaul and stateful hashing

Loup Vaillant David loup at loup-vaillant.fr
Mon Nov 12 01:57:01 PST 2018


Hi,

Many of these changes will be much appreciated. I implemented HKDF to
see how much it would cost (both in lines of code and in runtime), and
it felt way overkill for cases where the hash was designed to be
suitable for prefix-mac to begin with (such as keyed Blake2b).


>  * The Encrypt/Decrypt operations will be possessed by some crypto
> objects (like STROBE or other Sponge/Duplex objects).  In this case
> we don't have to derive a key from the object and use it with an
> AEAD, we can just ask the object to encrypt/decrypt things directly.

Does this mean we'll be able to elide intermediate authentication tags
(That is, tags occurring before the end of the handshake message)?

For instance, as I understand the X pattern, the sender's message
currently looks like this (subsequent payload omitted):

  -> e || AEAD(s) || auth_tag(transcript)

Could your changes imply the following?

  -> e || raw_encryption(s) || auth_tag(transcript)

That is, would we omit the authentication tag provided by the AEAD, and
instead rely on the authentication of the whole transcript? (That would
be another appreciated change, since unless I'm horribly mistaken, the
AEAD tag is redundant, and doesn't contribute to the security of the
whole message. Especially in this case, where the tag only relies on an
anonymous es key exchange.)

Loup.




More information about the Noise mailing list