[noise] out of curve points

Trevor Perrin trevp at trevp.net
Sat Sep 19 11:45:39 PDT 2015


On Sat, Sep 19, 2015 at 12:49 AM, Mike Hamburg <mike at shiftleft.org> wrote:
> You're going to need to be very careful in the security proof if you make it easy for an attacker to set your key to mostly zeros. It looks to me like it's *probably* secure, but I get the feeling that eg the original tripleDH might not have been secure in this context since it doesn't hash the session and relies on scalar multiplication being 1:1.


I don't follow - how is a DH output being zero, or k being zero,
different than any other value?

Noise *is* careful to bind all static public keys into subsequent
encryptions, so it doesn't need any additional assumptions (e.g.
scalar multiplication being 1:1) to deal with identity binding.

Trevor


>
> -- Mike
>
> Sent from my phone.  Please excuse brevity and typos.
>
>>> On Sep 17, 2015, at 02:41, Trevor Perrin <trevp at trevp.net> wrote:
>>>
>>> On Wed, Sep 9, 2015 at 12:10 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>>> Hi folks,
>>>
>>> The curve25519 implementation I'm using (agl's) returns all zeros if its
>>> given points that are outside of the twist. How should noise handle peers
>>> sending each other bogus points?
>>
>> A party could always use some published value for their "private" key,
>> so that the DH output is known.
>>
>> Choosing a bogus keypair that also causes a known or all-zeros DH
>> isn't that different.  But a good party should never do this.
>>
>> So as long as computing with a bogus input doesn't reveal information
>> about the private key (which it doesn't, since 25519 is
>> "twist-secure"), I think we can let this be implementation defined.
>> In the case of 25519: the DH could error, or return zeros, or just do
>> the scalar multiply.
>>
>> In an anonymity context you might want to mandate behavior, so that
>> different parties can't be "fingerprinted" based on this.  But I don't
>> see a security concern besides that.
>>
>> Anyways, I'll add something about that in next rev.
>>
>>
>> Trevor
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise


More information about the Noise mailing list