-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/13 15:14, Adam Back wrote: > Well I think there are two issues: > > 1. if the public key is derived from a password (like a bitcoin > brainwallet), or as in EC based PAKE systems) then if the point > derived from your password isnt on the curve, then you know that > is not a candidate password, hence you can for free narrow the > password search. (Which particularly for PAKE systems weakens > their security).
Presumably if you ensure that the private key is valid, the public key derived from it must be a point on the curve. So it's a matter of validating private rather than public keys. I understand what you're saying about a timing side-channel in the draft-harkins-tls-pwd approach, but here I'm not concerned with validating a public key after generating it, but rather with the puzzling statement that there's no need to validate a public key after receiving it: "How do I validate Curve25519 public keys? Don't. The Curve25519 function was carefully designed to allow all 32-byte strings as Diffie-Hellman public keys." http://cr.yp.to/ecdh.html#validate > 2. if the software doesnt properly validate that the point is on > the curve, and tries to do an operation involving a private key or > secret, anyway, it may leak some of the secret. DJB has some > slides saying he found some software does not check. Hmm, so perhaps the statement quoted above simply means "Curve25519 contains its own key validation code, and will complain if the string you give it isn't a valid public key?" Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSTZLlAAoJEBEET9GfxSfM4dMH/jo83Jse5V6DqnZwaIkNesLY AufH8+amkMALbO8Db7r/sG+cGXMy8sSRWqPTJ0jXd3z4ZAgKbx3aW2eBEmIU9i3Y K0jkABVJty3XyvPAspoCUwZ+Fh7brUSCRHQJt0MWMQADPdoXJUY+iobmCGgO4Qbk +npDlo3pTNeEofsvkEM3uSPofR88JXvMC1sYhGr4+GMsBt330vG2Zd278AlVTlOb fVpwEtlad5Fb58RfGidMb4n7BUKKmkPI3KJewpJEXfc8CMP1ITsmX8hTzIz0wakz ubjwDu7ENUMkZhfkt4qNpTLeWQBOFrrfUDe9qrlTY5GpbNfy295K/aWMvi65c6g= =sxPV -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography