[cryptography] A question about public keys

Michael Rogers michael at briarproject.org
Thu Oct 3 11:53:09 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/10/13 15:14, Adam Back wrote:
> Well I think there are two issues:
> 
> 1. if the public key is derived from a password (like a bitcoin 
> brainwallet), or as in EC based PAKE systems) then if the point 
> derived from your password isnt on the curve, then you know that
> is not a candidate password, hence you can for free narrow the
> password search.  (Which particularly for PAKE systems weakens
> their security).

Presumably if you ensure that the private key is valid, the public key
derived from it must be a point on the curve. So it's a matter of
validating private rather than public keys.

I understand what you're saying about a timing side-channel in the
draft-harkins-tls-pwd approach, but here I'm not concerned with
validating a public key after generating it, but rather with the
puzzling statement that there's no need to validate a public key after
receiving it:

"How do I validate Curve25519 public keys?

Don't. The Curve25519 function was carefully designed to allow all
32-byte strings as Diffie-Hellman public keys."

http://cr.yp.to/ecdh.html#validate

> 2. if the software doesnt properly validate that the point is on
> the curve, and tries to do an operation involving a private key or 
> secret, anyway, it may leak some of the secret.  DJB has some
> slides saying he found some software does not check.

Hmm, so perhaps the statement quoted above simply means "Curve25519
contains its own key validation code, and will complain if the string
you give it isn't a valid public key?"

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSTZLlAAoJEBEET9GfxSfM4dMH/jo83Jse5V6DqnZwaIkNesLY
AufH8+amkMALbO8Db7r/sG+cGXMy8sSRWqPTJ0jXd3z4ZAgKbx3aW2eBEmIU9i3Y
K0jkABVJty3XyvPAspoCUwZ+Fh7brUSCRHQJt0MWMQADPdoXJUY+iobmCGgO4Qbk
+npDlo3pTNeEofsvkEM3uSPofR88JXvMC1sYhGr4+GMsBt330vG2Zd278AlVTlOb
fVpwEtlad5Fb58RfGidMb4n7BUKKmkPI3KJewpJEXfc8CMP1ITsmX8hTzIz0wakz
ubjwDu7ENUMkZhfkt4qNpTLeWQBOFrrfUDe9qrlTY5GpbNfy295K/aWMvi65c6g=
=sxPV
-----END PGP SIGNATURE-----


More information about the cryptography mailing list