On Fri, Sep 18, 2015 at 5:10 AM, Watson Ladd <[email protected]> wrote: > On Sat, Sep 12, 2015 at 6:33 PM, Trevor Perrin <[email protected]> wrote: >> There's an updated paper and new code for MSR's FourQ curve: [...] >> What do people think? [...] > > The FourQ paper insists that rejecting invalid points is a viable > implementation strategy that provides compatibility with existing > software. Recently teams have independently rediscovered (or perhaps > just republicized) vulnerabilities in Bouncycastle version 1.50 that > stemmed from not validating points. > > It may be true that their software properly handles all inputs, and > carefully documents what callers must do to get the claimed security. > But in practice we know that reimplementation frequently happens, and > that these reimplementations frequently contain issues around point > validation.
The paper notes that single-coordinate ladders aren't efficient on FourQ, so "twist-security" is irrelevant. With non-ladder implementations you'll have to validate FourQ points if you're not decompressing, but that's generally true - including for 25519 and 448! FourQ's decompression is particularly efficient. So one could argue FourQ implementations are likely to always use compressed points, and thus are *less* likely to expose themselves to invalid-curve attacks than curves where compression is more costly. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
