[noise] out of curve points

Trevor Perrin trevp at trevp.net
Wed Sep 16 17:41:49 PDT 2015


On Wed, Sep 9, 2015 at 12:10 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi folks,
>
> The curve25519 implementation I'm using (agl's) returns all zeros if its
> given points that are outside of the twist. How should noise handle peers
> sending each other bogus points?

A party could always use some published value for their "private" key,
so that the DH output is known.

Choosing a bogus keypair that also causes a known or all-zeros DH
isn't that different.  But a good party should never do this.

So as long as computing with a bogus input doesn't reveal information
about the private key (which it doesn't, since 25519 is
"twist-secure"), I think we can let this be implementation defined.
In the case of 25519: the DH could error, or return zeros, or just do
the scalar multiply.

In an anonymity context you might want to mandate behavior, so that
different parties can't be "fingerprinted" based on this.  But I don't
see a security concern besides that.

Anyways, I'll add something about that in next rev.


Trevor


More information about the Noise mailing list