[noise] out of curve points
Jason A. Donenfeld
Jason at zx2c4.com
Wed Sep 9 12:10:48 PDT 2015
Hi folks,
The curve25519 implementation I'm using (agl's) returns all zeros if its
given points that are outside of the twist. How should noise handle peers
sending each other bogus points?
Option 1: Do nothing. ECDH() will return 32 bytes of zeros, which will then
continue along happily computing things.
Option 2: Compare ECDH() output to all zeros in constant time, and return
an error if it matches.
Option 1 would be a lot simpler, obviously. But is this safe? Is it
*guaranteed* that continuing the chain of calculations from all zeros will
always result in some invalid state that will be rejected anyway? Or is
there actually something dangerous here?
With option 2, I'd just ignore the message and not let it change any
session state, as I currently do if AEAD fails.
Which is best?
Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150909/d2741232/attachment.html>
More information about the Noise
mailing list