[noise] Rev30 branch

Rhys Weatherley rhys.weatherley at gmail.com
Wed Jun 29 18:21:47 PDT 2016

On Thu, Jun 30, 2016 at 10:53 AM, Jason A. Donenfeld <Jason at zx2c4.com>

> > * Explicit nonces make it easier to "backdoor" crypto implementations.
> That's an interesting point. Do you mean simply in the sense that a
> backdoored RNG would result in more catastrophic effects than
> otherwise? Or do you have something else in mind?

I interpret that as a reference to Dual_EC_DRBG and similar constructions
where the output of the RNG contains information that can be used to derive
the internal state.  Putting the output of a system RNG on the wire without
transforming it first is dangerous.

Noise ephemeral keys are generated from random information, but the random
information itself is not on the wire.  A transformed version is and as
long as Curve25519/448 remain sound, it is infeasible to reverse that
information back to the RNG state.

If Noise did include a nonce, then that information might allow the private
component of the static and ephemeral keypairs to be derived, which would
be catastrophic.  Instead Noise uses the RNG in a way that any leakage of
state is destroyed before the data goes on the wire.  It's a design issue
that leads to safer operation.

It is possible to make explicit nonces safe: always hash the data coming
out of the system RNG again to destroy any watermarks.  But that requires
the implementer to take extra care.  And there's no way for the other party
to verify that such a step was taken.

Of course, if the system RNG is completely b0rked; e.g. a hash of the time;
then it is still predictable.  But not because of information that is
included in the protocol.

TL:DR: Don't put the output of your system RNG on the wire.  It's just
asking for trouble.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160630/d578a71e/attachment.html>

More information about the Noise mailing list