[noise] Raw RNG over the Wire [was: Re: Rev30 branch]

Trevor Perrin trevp at trevp.net
Fri Jul 8 09:32:26 PDT 2016

25519 public keys are integers mod 2^255 - 19 that satisfy the curve
equation, so the high bit isn't set, the other biases are probably too
subtle to matter, here

But better:  If you want to turn the public key (e) into a bunch of
public (non-secret) random-looking bytes, do something like:

Hash(e, 1) || Hash(e, 2) || ...

I.e. use e as the seed for any PRNG.


On Fri, Jul 8, 2016 at 8:13 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Fri, Jul 8, 2016 at 5:00 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>>> You already have ephemeral public keys, so you could just take 32 bits
>>> from one of them as the session index, to avoid another RNG call, but
>>> I'm not sure it's worth more effort than that.
> Here's what that looks like:
> https://git.zx2c4.com/WireGuard/commit/?id=765b5e38917260fa171de60285e2a7282d01769b
> I'm not yet convinced this actually hides the leak though, because it
> must eventually fall back to using the RNG if all the bytes of the
> ephemeral are already in use as indices. Maybe maybe that's
> acceptable? Need to think about this more...

More information about the Noise mailing list