Manuel Pégourié-Gonnard wrote on 25.04.2014 13:57: > On 25/04/2014 11:57, Johannes Merkle wrote: >> When re-using keys for ECDHE (which is the default behavior in some >> implementations, e.g. OpenSSL) or when using non-ephemeral ECDH, the validity >> of the received public DH-key should be checked to avoid non-group attacks >> (if the curve is not twist secure). > > I disagree with the parenthesis. Unless I'm seriously mistaken, as long as > both > x and y coordinates are transmitted, implementations have to check if the > point > lies on the curve even if the curve is twist secure. >
you are right, I was mistaken. As long as the curve is twist secure AND sngle co-ordinate formulas (ladders) are used, you need to check the validity in order to prevent serious key leakage. -- Johannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
