[noise] Rev30 branch

Trevor Perrin trevp at trevp.net
Thu Jun 30 11:44:32 PDT 2016

On Wed, Jun 29, 2016 at 6:21 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Thu, Jun 30, 2016 at 10:53 AM, Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
>> > * Explicit nonces make it easier to "backdoor" crypto implementations.
>> That's an interesting point. Do you mean simply in the sense that a
>> backdoored RNG would result in more catastrophic effects than
>> otherwise? Or do you have something else in mind?
> I interpret that as a reference to Dual_EC_DRBG and similar constructions
> where the output of the RNG contains information that can be used to derive
> the internal state.

That's right, and a good summary.  And this isn't theoretical, RSA
BSAFE and Juniper Netscreen (and who knows what else) were backdoored
via RNG + explicit nonces, and NSA tried to lobby the IETF for larger
TLS nonces, to make it easier to exfiltrate the Dual_EC state.

OTOH, I don't want to exaggerate this.

There's arguments in favor of explicit nonces (it enables ephemeral
key reuse, which lets your amortize key-generation costs).  And if
someone is in position to backdoor the RNG, avoiding explicit nonces
won't necessarily stop them (they could always make the RNG
low-entropy, though that's perhaps more detectable and doesn't achieve
the Nobody-but-Us "NOBUS" property of a good backdoor).

So I've edited the rationale to be more nuanced:

Explicit random nonces (like TLS "Random" fields) are not used because:

 * One-time ephemeral public keys make explicit nonces unnecessary.
 * Explicit nonces allow reuse of ephemeral public keys. However
reusing ephemerals (with periodic replacement) is more complicated,
requires a secure time source, is less secure in case of ephemeral
compromise, and only provides a small optimization, since key
generation can be done for a fraction of the cost of a DH operation.
 * Explicit nonces increase message size.
 * Explicit nonces make it easier to "backdoor" crypto
implementations, e.g. by modifying the RNG so that key recovery data
is leaked through the nonce fields.



More information about the Noise mailing list