12 May
2016
12 May
'16
12:07 a.m.
Hello,
My tinfoil hat went crinkle in the night[0], and I had an additional thought here. Should we encrypt the `CLIENT_NEWHOPE` and `SERVER_NEWHOPE` values using <AE construct of your choice> and something derived from `EXP(Z,x)`/`EXP(X,z)`?
It doesn't have perfect forward secrecy (compromise of `z` would allow the adversary to decrypt all previous ciphertexts), but it's better than nothing.
CPU-wise it's 1 additional KDF call (assuming you squeeze out the forward and return symmetric keys at once), 1 extra CSPRNG call (for the IV), and 2 AE calls. And `len(IV) + len(Tag)` bytes of extra traffic in each direction in terms of extra network overhead, both which I think are relatively cheap.
Regards,
--
Yawning Angel
[0]: Along with "I do this for basket2 for other reasons[1], and I think
it's a good idea even for tor".
[1]: newhope public keys are "blatantly obvious" on the wire.