[curves] Handling invalid (unreduced) public keys and signatures in 25519
Trevor Perrin
trevp at trevp.net
Wed Aug 6 16:21:01 PDT 2014
On Wed, Aug 6, 2014 at 3:38 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 8/6/14, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> The DJB papers specify precise formats for public keys and signatures
>> [3,4]. However, some implementations are tolerant of noncompliant
>> "unreduced" values (treating them as equivalent to the reduced
>> values).
>>
>> That's harmless for interop, as no implementations produce such
>> values, and I believe harmless for security.
>
> *Every* property which can be used to distinguish between two
> implementations or implementation strategies is a security
> vulnerability.
You're concerned about "fingerprinting" of implementations which might
reduce anonymity, e.g. in Tor? Huh. That's an unusual concern, but I
guess legitimate.
I was proposing implementations have the option to reject invalid
values OR keep processing via bit-masking then reduction. If a single
behavior was to be mandated, which would you recommend?
I think I'd prefer the latter, since:
- It's what most Curve25519 implementations do,
- I think it's an easier retrofit to code that doesn't currently do
it (just mask a few bits, as opposed to big-integer comparison)
- It doesn't require an error-handling case in code which may not have one.
> I'm glad someone else is looking at Ed25519 with an eye toward this
> type of flaw, but you seem to have missed the big one there: there is
> a trade-off between allowing fast single-signature verification
> (without decompressing R) and allowing fast batch verification (by
> decompressing R and multiplying it by 8), which each application needs
> to resolve.
I don't follow, does this have some bad interaction with
mask-then-reduce processing?
Trevor
More information about the Curves
mailing list