[curves] Climbing the elliptic learning curve (was: Re: Finalizing XEdDSA)

[Trevor Perrin]

On Tue, Jan 31, 2017 at 2:32 AM, Antonio Sanso <asanso at adobe.com> wrote:
> Of course even if I was able to calculate an equivalent public key there is no chance I can retrieve the associate
> private key (of course this would be like breaking DH, right?).
>
> Said that, last silly question on the topic is:
>
> in which situation not checking for the “right” public key can be a problem?
> Trevor mentioned already one situation, but I fail to see without the knowledge
> of the associated private key, where this could be an harm….


A key exchange protocol might want to guarantee that if the protocol
completes successfully, both parties have the same secret key *and*
agree on things like the identities of the two parties.

So if an attacker can change a transmitted public key into a
different-but-equivalent public key, a protocol might complete
successfully despite the parties having a different view of the public
keys.

This type of issue is often called "unknown key share" or "identity
misbinding".  Avoiding it motivates things like hashing public keys
(and maybe other identity info) into session keys, or MAC'ing them
with session keys, etc.

As far as cases where equivalent DH public keys are a concrete security problem:

Maybe you meet someone online, they authenticate with identity public
key Y, but then when you meet them in person they claim public key X,
so you don't believe they're the same person.  But they are!, an
attacker just changed X to Y.

With some creativity you could perhaps think of other cases where this
causes minor confusion.

Trevor