Noise Extension: Hybrid Forward Secrecy

Question

Noise Extension: Hybrid Forward Secrecy

david415 opened this issue 6 years ago · comments

David Stainton commented 6 years ago

Are you interested in this feature?

Here's the noise fork by Yawning Angel that has the XXhfs using NewHope-Simple:

https://github.com/katzenpost/noise

Here's the spec extension:

https://raw.githubusercontent.com/noiseprotocol/noise_spec/41d478d3dd97d77a6695f4d6cf6283e2830e9ca6/extensions/ext_hybrid_forward_secrecy.md

Jake McGinty · Answer 1 · Sun Nov 18 2018 15:39:59 GMT+0800 (China Standard Time)

Yes, I'm interested in adding HFS support.

Amber Sprenkels · Answer 2 · Mon Jul 08 2019 17:29:07 GMT+0800 (China Standard Time)

Hey all, in August/September I will probably have some time to implement this. Can I claim this issue for now?

Jake McGinty · Answer 3 · Mon Jul 15 2019 10:57:21 GMT+0800 (China Standard Time)

@dsprenkels go for it :).

Amber Sprenkels · Answer 4 · Fri Aug 02 2019 16:13:24 GMT+0800 (China Standard Time)

Here's some preliminary notes.

Implement the latest HFS spec, i.e. the one listed at https://github.com/noiseprotocol/noise_hfs_spec/blob/master/output/noise_hfs.pdf.
At request of @david415, I will use the Kyber-1024 key encapsulation scheme.
At first, this scheme will be based on the Rust bindings to the PQClean suite of implementations. https://github.com/PQClean/PQClean from Kannwischer, Rijneveld, Schwabe, Stebila, Wiggers (docs: https://docs.rs/pqcrypto-kyber/0.4.1/pqcrypto_kyber/).
- Later I intend to implement an optimized version of the Kybers in Rust.
Moreover, ask the community whether they would like to see a different cryptoscheme, and use that one as well. (In any case announce this project over the mailing list.)
Everything will be feature gated by a hfs feature, s.t. these changes do not add code/compile bloat.

Amber Sprenkels · Answer 5 · Tue Aug 27 2019 20:58:11 GMT+0800 (China Standard Time)

Hey @mcginty, today I have worked on the HFS support. I have pushed the updates to my hfs branch.

David Stainton · Answer 6 · Thu Aug 29 2019 05:09:44 GMT+0800 (China Standard Time)

I'd like to try out your branch... What is a valid Noise HFS specification string?
This one is not valid:
Noise_XXhfs_25519+Kyber1024_ChaChaPoly_BLAKE2b

Amber Sprenkels · Answer 7 · Thu Aug 29 2019 05:40:51 GMT+0800 (China Standard Time)

Because Trevor's spec did not mention anything about the +-syntax, I have currently implemented the resolving in a way that you have to specify the KEM separately in the builder. Let me give an example:

let params: NoiseParams = "Noise_NNhfs_25519_ChaChaPoly_SHA256".parse().unwrap();
let mut h_i = Builder::new(params.clone())
    .kem(KemChoice::Kyber1024)
    .build_initiator()
    .unwrap();

In this case, the resolver is the default resolver (not ring). Btw. don't forget to enable the hfs and pqclean_kyber1024 features.

I agree that, given the fact that Kyber1024 is currently the only supported KEM, explicitly choosing it might feel a bit pointless. Maybe this is something to be updated.

Note to self: Ask the community about this.

David Stainton · Answer 8 · Tue Sep 24 2019 22:30:00 GMT+0800 (China Standard Time)

Hi all. I'm looking forward to this feature getting landed. No hurry I'm just saying that I'm looking forward. Cheers!

Jake McGinty · Answer 9 · Sun Feb 09 2020 02:56:06 GMT+0800 (China Standard Time)

This is now merged in master.