waxwing's avatar
waxwing 2 years ago
The TLDR here is that, yes, this was an implementation error, much as Monero made an implementation error in not checking the order of points, using the same curve with cofactor 8. in both cases the errors were patched. But the errors were very easy to miss and absolutely disastrous, especially in the libgcrypt case, allowing cracking of keys in seconds for any process that was sharing the same RAM. Others, like JP Aumassin (author of the excellent 'Serious Cryptography'), and apparently Matt Green, apparently shared, partly, my skepticism about not validating inputs: https://research.kudelskisecurity.com/2017/04/25/should-ecdh-keys-be-validated/ which btw links to this entertaining, concrete take on why not checking inputs is dodgy as hell:
Why not validate Curve25519 public keys could be harmful
Update: see this post for a real world protocol that is broken if Curve25519 public keys are not validated. Update: comments on Twitter ....
↑ Parent

Replies (1)

waxwing's avatar
waxwing 2 years ago
Do I have a point in this endless wittering? :) Well, I've always thought that engineers, and sometimes the most brilliant ones are the most guilty of this, have a tendency to over-optimise and over-engineer, and simplicity is absolutely key for robustness. There is nothing simpler than a group with NO structure - a cyclic group of prime order. And as a counterpoint, building a system which is so cool in its sophistication that you don't need to check whether external inputs are adversarial, just lacks common sense.
1 replies ↓