[noise] Invalid point attacks

Jason A. Donenfeld Jason at zx2c4.com
Thu Mar 30 13:52:20 PDT 2017

On Thu, Mar 30, 2017 at 6:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> 1. It prevents accidents in which a peer might shoot himself in the
>> foot with a bad RNG for ephemerals and/or bad static key.
> It doesn't prevent that.  A low-entropy private key multiplied by the
> base point is still a valid public key.

Yea obviously. But usually when RNGs fail, they wind up just returning
all zeros. By "usual" I mean the majority of things I've dealt with in
the wild. Since it's nearly free (quick comparison of 4 qwords) to
implement, this seems like a nice failsafe.

More information about the Noise mailing list