Improve SecretConnection/STS KDF?

[tarcieri]

SecretConnection presently uses the NaCl crypto_secretbox construction for authenticated encryption:

https://github.com/tendermint/tendermint/blob/master/p2p/secret_connection.go#L131

crypto_secretbox decomposes to the following:

Salsa20Poly1305(HSalsa20(k, nonce), Ø{8}, frame)

The crypto_secretbox API imposes a 24-byte length requirement on the nonce, and for that reason SecretConnection first pre-hashes all of the cryptographic parameters with RIPEMD160:

https://github.com/tendermint/tendermint/blob/master/p2p/secret_connection.go#L131

So the overall construction ends up looking like this:

Salsa20Poly1305(HSalsa20(k, RIPEMD160(lowPubKey || hiPubKey)), Ø{8}, frame)

(glossing over the sender/receiver nonce tweaks momentarily)

So, funny thing, my understanding is HSalsa20 is just a PRF and can accept variable length input. The 24-byte restriction is a totally arbitrary one imposed by the crypto_secretbox API. So if you wanted to get rid of RIPEMD160 (see discussion here), you could just do this:

Salsa20Poly1305(HSalsa20(k, lowPubKey || hiPubKey), Ø{8}, frame)

Tada, no need for RIPEMD160. If you step outside the constraints of the crypto_secretbox API, you should just be able to pass everything directly to HSalsa20. This should provide a 2¹²⁸ security level, as opposed to the 2⁸⁰ one provided by RIPEMD160.

All that said, I would probably suggest using HKDF instead of HSalsa20 here. See some of the criticism CodesInChaos makes about the similar nonce-based approach used by CurveCP:

https://codesinchaos.wordpress.com/2012/09/09/curvecp-1/

A more traditional way to build an authenticated key exchange is to compute a transcript hash of the entire key exchange and use that as an input to something like HKDF, and using that to derive symmetric keys.

HKDF is an extremely boring construction with well-understood, provable security properties created by Hugo Krawczyk, who just so happened to be this year's Levchin Award winner at RealWorldCrypto. HKDF is used by both TLS and Noise for key derivation.

With HKDF, instead of tweaking the nonce and using that to derive two keys, you can just ask for two symmetric keys worth of output, and have the conversation participants pick the appropriate key for their side of the conversation.

HKDF for Go is available here:

https://godoc.org/golang.org/x/crypto/hkdf

A minimalistic change to HKDF might change the above to something like this:

derivedKey = HKDFSHA256(k, lowPubKey || hiPubKey, "COSMOS_SECRETCONNECTION_KDF")
Salsa20Poly1305(derivedKey, Ø{8}, frame)

[zmanian]

I'm interested in taking this.

[ebuchman]

Linking to #1124 which suggests moving from xsalsa20poly1305 to xchacha20poly1305 - as implemented in tendermint/go-crypto#98

The question here is whether to switch that to a custom hkdf-chacha20poly1305 - is it really worth it ? the difference is basically that we get 2^256 msgs per key rather than 2^192 ?

[zmanian]

The alternative would be to start the nonce counters from zero and terminate the connection when they hit 2^192 -1 ?

[ebuchman]

We'll never hit that though right ? We couldn't send that many msgs with one key if we tried ...

And the nonce incrementer just wraps around. I feel like I'm missing something

[tarcieri]

@ebuchman the advantages of HKDF are:

• Extended "salt" space: by "fiat" XChaCha20 takes a 24-byte nonce (when really the nonce is just a parameter to the variable-length HChaCha20 PRF), which was the original impetus for using RIPEMD160 (as noted earlier). HKDF salts are variable length so you can use them to bind whatever parameters you can express in some form of canonical string. In this regard I'd consider it a more flexible primitive than the "box" API to HChaCha20
• Extra "info" parameter: this parameter is mixed into every iteration of every derivation and is great for a "personalization string", i.e. some short string that "colors" a particular derivation for a particular purpose, such as deriving a bunch of purpose-specific keys from a single master key
• Security proofs: HKDF is used almost universally in this particular space because it has well-understood security proofs and therefore is exceedingly boring for this purpose. See its use in both TLS and Noise

[ebuchman]

OK - thanks for the extra details!

[ebuchman]

So - we just merged the move to xchacha20poly1305 by copying hchacha20 from github.com/aead/chacha20 and wrapping the stdlibs chacha20poly1305: tendermint/go-crypto#98

But to implement the proposal here, we would remove hchacha20 and the sender/recvr nonces, and instead replace it with an HKDF stream from which we can just keep reading 40-byte chunks to pass as nonce into Seal, where the first 32-bytes are the key and the final 8 are the nonce for cc20p1305 ?

And then to differentiate sender and receiver nonce input we would have two hkdf streams, something like:

recvNonceStream = HKDFSHA256(k, myPubKey || theirPubKey, "COSMOS_SECRETCONNECTION_KDF")
sendNonceStream = HKDFSHA256(k, theirPubKey || myPubKey, "COSMOS_SECRETCONNECTION_KDF")

Is that right ?

[ebuchman]

Uh, I'm not sure the HKDF output is unbounded, so maybe I'm still not understanding something

[tarcieri]

@ebuchman I'd suggest using HKDF to derive a unique key, rather than deriving a nonce. This is what the XSalsa and XChaCha constructions do (see above: the underlying Salsa/ChaCha nonce is Ø{8}).

The "X" versions of these constructions use HChaCha20 as a KDF to derive a unique key per nonce. You'd still use a nonce of Ø{8}, except the key would come from HKDF's output key material, rather than HChaCha20's output.

HKDF uses a method called extract-and-expand which is adaptable to the amount of output you want to generate. You can also change any of the parameters you pass to it (most notably the salt) to get a unique key per invocation.