On 25/04/2014 11:57, Johannes Merkle wrote: > When re-using keys for ECDHE (which is the default behavior in some > implementations, e.g. OpenSSL) or when using non-ephemeral ECDH, the validity > of the received public DH-key should be checked to avoid non-group attacks > (if the curve is not twist secure).
I disagree with the parenthesis. Unless I'm seriously mistaken, as long as both x and y coordinates are transmitted, implementations have to check if the point lies on the curve even if the curve is twist secure. Manuel. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
