[noise] out of curve points

Trevor Perrin trevp at trevp.net
Mon Sep 21 08:49:16 PDT 2015


On Sat, Sep 19, 2015 at 5:52 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> What about the case in which the responder is dealing with both a bogus
> static public key and a bogus ephemeral key from the initiator? In this
> case, it's likely that it's possible to massage the keys into something
> unfortunate.

Provided the calculation doesn't leak the responder's private key,
it's fine to calculate zero in that case.  The only concern would come
from unusual use cases like "channel binding", which I added a
security consideration for.

https://moderncrypto.org/mail-archive/noise/2015/000276.html

Trevor


More information about the Noise mailing list