On Thu, Apr 24, 2014 at 4:04 PM, Colin Percival <cperc...@tarsnap.com> wrote: > If you receive y=1 from a protocol-compliant endpoint, it is running with > FPS turned off.
You're right. I had to think for a bit to come up with a proof -- for anyone else who is wondering, it follows from there being no non-trivial square roots of unity mod p for prime p, and from the fact that we're working in the group of quadratic residues mod p. > Protocol non-compliant endpoints could hardcode other values, e.g., y=2, > which would also have the effect of breaking FPS, but of course non-compliant > endpoints could do all sorts of things to deliberately leak keys. Yeah, there's not much we can do to prevent that. > It's certainly plausible as an anti-foot-shooting mechanism. It doesn't gain > you any theoretical security (since it can be circumvented), but it might > still > be useful in practice. > > Want to send me a patch? Sure, I can take a crack at it. I'll let you (and the list) know when I have something. -- Fred