[noise] Rev30 branch
Trevor Perrin
trevp at trevp.net
Thu Jun 30 11:44:32 PDT 2016
On Wed, Jun 29, 2016 at 6:21 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Thu, Jun 30, 2016 at 10:53 AM, Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
>>
>> > * Explicit nonces make it easier to "backdoor" crypto implementations.
>>
>> That's an interesting point. Do you mean simply in the sense that a
>> backdoored RNG would result in more catastrophic effects than
>> otherwise? Or do you have something else in mind?
>
>
> I interpret that as a reference to Dual_EC_DRBG and similar constructions
> where the output of the RNG contains information that can be used to derive
> the internal state.
That's right, and a good summary. And this isn't theoretical, RSA
BSAFE and Juniper Netscreen (and who knows what else) were backdoored
via RNG + explicit nonces, and NSA tried to lobby the IETF for larger
TLS nonces, to make it easier to exfiltrate the Dual_EC state.
OTOH, I don't want to exaggerate this.
There's arguments in favor of explicit nonces (it enables ephemeral
key reuse, which lets your amortize key-generation costs). And if
someone is in position to backdoor the RNG, avoiding explicit nonces
won't necessarily stop them (they could always make the RNG
low-entropy, though that's perhaps more detectable and doesn't achieve
the Nobody-but-Us "NOBUS" property of a good backdoor).
So I've edited the rationale to be more nuanced:
Explicit random nonces (like TLS "Random" fields) are not used because:
* One-time ephemeral public keys make explicit nonces unnecessary.
* Explicit nonces allow reuse of ephemeral public keys. However
reusing ephemerals (with periodic replacement) is more complicated,
requires a secure time source, is less secure in case of ephemeral
compromise, and only provides a small optimization, since key
generation can be done for a fraction of the cost of a DH operation.
* Explicit nonces increase message size.
* Explicit nonces make it easier to "backdoor" crypto
implementations, e.g. by modifying the RNG so that key recovery data
is leaked through the nonce fields.
https://github.com/noiseprotocol/noise_spec/blob/rev30/noise.md
Trevor
More information about the Noise
mailing list