[noise] Post-Quantum Noise with New Hope

Peter Schwabe peter at cryptojedi.org
Fri Jul 15 08:25:59 PDT 2016

Watson Ladd <watsonbladd at gmail.com> wrote:

Hi Watson,

> > Yeah, that's really embarrassing. We'll have new software online in a
> > few days that is faster and also fixes this issue.
> Is it? If your system RNG is broken, you need a better system.

It's a defensive measure to not send the output of the system's RNG over
the network. Imagine you're using Dual_EC_DRBG (which obviously you
shouldn't). If you send output of this RNG *once*, an attacker learns
all future output and breaks all of your crypto. Hashing the output of
the RNG before sending it costs almost nothing and prevents this attack.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160715/85dd9151/attachment.sig>

More information about the Noise mailing list