Timeline for Why do public keys need to be validated?
Current License: CC BY-SA 3.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 16, 2018 at 18:57 | comment | added | Bogdan Alexandru | @poncho Thanks for the reply. So in effect there is no issue if you receive the keys over some specific communication protocol, where you expect two coordinates, each with a specific number of octets. | |
| Feb 16, 2018 at 17:18 | comment | added | poncho♦ | @BogdanAlexandru: well, that depends on how the point is communicated. If you simply don't have a 'bits-on-the-wire' representation for 'point at infinity', well, then it is in fact a nonissue. However, sometimes we use packages that were designed to handle the general EC case (and not only the parts that are of interest to crypto), those packages may have some hooks to communicate the identity element | |
| Feb 16, 2018 at 17:04 | comment | added | Bogdan Alexandru | @poncho What do you mean by "to make sure that his point is not the point-at-infinity"? The point-at-infinity has no coordinates, so it can't actually be represented by a pair of X and Y coordinates that the attacker sends you. | |
| Oct 7, 2012 at 10:17 | vote | accept | CodesInChaos | ||
| Sep 19, 2012 at 15:43 | comment | added | poncho♦ | @CodesInChaos: if we're talking about a prime-order curve, and we get a point $Y$ that's on the curve, and not the point at infinity, then there's no further validation possible; we know that there must be some value $y$ with $Y = yG$, and so it is a possible public value from the peer. | |
| Sep 19, 2012 at 15:38 | comment | added | CodesInChaos | I wasn't considering your first attack, because I forgot that many protocols don't use compressed points. I was only considering checks of points which result from decompression, and thus are on the curve. Such as checking that $ qY=0 $. I'll need to reread some papers, to check if some of the attacks I read about assume points not on the curve. At least some checks seem to be curve specific, since the Curve25519 paper mentions choosing parameters so that any compressed point can be used without validation. | |
| Sep 19, 2012 at 15:32 | history | edited | poncho♦ | CC BY-SA 3.0 | Fixed a rather major typo |
| Sep 19, 2012 at 15:24 | history | edited | poncho♦ | CC BY-SA 3.0 | Fixed typos; expanded explination a bit |
| Sep 19, 2012 at 15:05 | history | answered | poncho♦ | CC BY-SA 3.0 |