[noise] Invalid point attacks

Trevor Perrin trevp at trevp.net
Thu Mar 30 11:25:25 PDT 2017

On Thu, Mar 30, 2017 at 10:17 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Thu, Mar 30, 2017 at 6:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>> 4. Allowing for DH to "maybe return null" significantly complicates
>>> the security analysis and formal verification.
>> Typically formal models idealize DH as working in a prime-order group.
>> Doing zero checks rules out small-order inputs, but does *not*
>> guarantee working in a prime-order group, which would require a more
>> expensive scalar multiplication to validate the input point.
>> So unless we do a full point validation (scalar multiplication) we're
>> not going to match a simplified idealization of DH.
> I was under the impression that everything was fonzerelli with 25519:
> you either get back a valid point, or you get back NULL. By erroring
> out on NULL, the real case should be identical to the ideal case.

Even with this check, 25519 DH will map certain inputs to the same
output (due to both cofactor and unreduced inputs), which DH on a
prime-order group will not do.


More information about the Noise mailing list