[noise] Invalid point attacks

Jason A. Donenfeld Jason at zx2c4.com
Thu Mar 30 10:17:32 PDT 2017

On Thu, Mar 30, 2017 at 6:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> 4. Allowing for DH to "maybe return null" significantly complicates
>> the security analysis and formal verification.
> Typically formal models idealize DH as working in a prime-order group.
> Doing zero checks rules out small-order inputs, but does *not*
> guarantee working in a prime-order group, which would require a more
> expensive scalar multiplication to validate the input point.
> So unless we do a full point validation (scalar multiplication) we're
> not going to match a simplified idealization of DH.

I was under the impression that everything was fonzerelli with 25519:
you either get back a valid point, or you get back NULL. By erroring
out on NULL, the real case should be identical to the ideal case.

More information about the Noise mailing list