[curves] Handling invalid (unreduced) public keys and signatures in 25519

Robert Ransom rransom.8774 at gmail.com
Wed Aug 6 15:38:44 PDT 2014

On 8/6/14, Trevor Perrin <trevp at trevp.net> wrote:
> Hi,
> So Watson and others are working on IETF specs for 25519 [1], and I'm
> working on a proposal for 25519 in W3C WebCrypto [2].
> There's a processing detail everyone should agree on:
> The DJB papers specify precise formats for public keys and signatures
> [3,4].  However, some implementations are tolerant of noncompliant
> "unreduced" values (treating them as equivalent to the reduced
> values).
> That's harmless for interop, as no implementations produce such
> values, and I believe harmless for security.

*Every* property which can be used to distinguish between two
implementations or implementation strategies is a security
vulnerability.  I'm writing up a more complete piece on this to send
to CFRG.

I'm glad someone else is looking at Ed25519 with an eye toward this
type of flaw, but you seem to have missed the big one there: there is
a trade-off between allowing fast single-signature verification
(without decompressing R) and allowing fast batch verification (by
decompressing R and multiplying it by 8), which each application needs
to resolve.

Robert Ransom

More information about the Curves mailing list