[noise] out of curve points

[Trevor Perrin]

On Sat, Sep 19, 2015 at 12:25 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>
>
>> On Sep 19, 2015, at 8:45 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> On Sat, Sep 19, 2015 at 12:49 AM, Mike Hamburg <mike at shiftleft.org> wrote:
>>> You're going to need to be very careful in the security proof if you make it easy for an attacker to set your key to mostly zeros. It looks to me like it's *probably* secure, but I get the feeling that eg the original tripleDH might not have been secure in this context since it doesn't hash the session and relies on scalar multiplication being 1:1.
>>
>>
>> I don't follow - how is a DH output being zero, or k being zero,
>> different than any other value?
>>
>> Noise *is* careful to bind all static public keys into subsequent
>> encryptions, so it doesn't need any additional assumptions (e.g.
>> scalar multiplication being 1:1) to deal with identity binding.
>>
>> Trevor
>
> Maybe it’s the same as any other value, or at least the same as the identity / small-torsion points.
>
> I’m not going to think about this too hard since I’m on vacation.  But can an attacker set their long-term public key and ephemeral to the identity / invalid, thereby causing the session keys of everyone who talks to them to collide?

That's a possible outcome, given implementation-defined handling of
invalid public keys.


> Is that even an attack?

No, IMO - if one party in a session is misbehaving, neither party to
that session can expect any security for the session.

Sometimes people run password protocols on top of a session and want
unique channel binding so their messages can't be forwarded through a
different session.

I'll adding a security consideration so people don't do anything
stupid in that case (it's safe to bind your ephemeral public key, not
k).

Trevor