[noise] Invalid point attacks
Jason A. Donenfeld
Jason at zx2c4.com
Thu Mar 30 13:52:20 PDT 2017
On Thu, Mar 30, 2017 at 6:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> 1. It prevents accidents in which a peer might shoot himself in the
>> foot with a bad RNG for ephemerals and/or bad static key.
>
> It doesn't prevent that. A low-entropy private key multiplied by the
> base point is still a valid public key.
Yea obviously. But usually when RNGs fail, they wind up just returning
all zeros. By "usual" I mean the majority of things I've dealt with in
the wild. Since it's nearly free (quick comparison of 4 qwords) to
implement, this seems like a nice failsafe.
More information about the Noise
mailing list