On 8/6/14, Trevor Perrin <[email protected]> wrote: > Hi, > > So Watson and others are working on IETF specs for 25519 [1], and I'm > working on a proposal for 25519 in W3C WebCrypto [2]. > > There's a processing detail everyone should agree on: > > The DJB papers specify precise formats for public keys and signatures > [3,4]. However, some implementations are tolerant of noncompliant > "unreduced" values (treating them as equivalent to the reduced > values). > > That's harmless for interop, as no implementations produce such > values, and I believe harmless for security.
*Every* property which can be used to distinguish between two implementations or implementation strategies is a security vulnerability. I'm writing up a more complete piece on this to send to CFRG. I'm glad someone else is looking at Ed25519 with an eye toward this type of flaw, but you seem to have missed the big one there: there is a trade-off between allowing fast single-signature verification (without decompressing R) and allowing fast batch verification (by decompressing R and multiplying it by 8), which each application needs to resolve. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
