[curves] FourQ

Trevor Perrin trevp at trevp.net
Fri Sep 18 16:42:13 PDT 2015


On Fri, Sep 18, 2015 at 5:10 AM, Watson Ladd <watsonbladd at gmail.com> wrote:
> On Sat, Sep 12, 2015 at 6:33 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> There's an updated paper and new code for MSR's FourQ curve:
[...]
>> What do people think?
[...]
>
> The FourQ paper insists that rejecting invalid points is a viable
> implementation strategy that provides compatibility with existing
> software. Recently teams have independently rediscovered (or perhaps
> just republicized) vulnerabilities in Bouncycastle version 1.50 that
> stemmed from not validating points.
>
> It may be true that their software properly handles all inputs, and
> carefully documents what callers must do to get the claimed security.
> But in practice we know that reimplementation frequently happens, and
> that these reimplementations frequently contain issues around point
> validation.

The paper notes that single-coordinate ladders aren't efficient on
FourQ, so "twist-security" is irrelevant.

With non-ladder implementations you'll have to validate FourQ points
if you're not decompressing, but that's generally true - including for
25519 and 448!

FourQ's decompression is particularly efficient.  So one could argue
FourQ implementations are likely to always use compressed points, and
thus are *less* likely to expose themselves to invalid-curve attacks
than curves where compression is more costly.


Trevor


More information about the Curves mailing list