On Tue, December 11, 2012 1:36 pm, Dan Brown wrote: > >> -----Original Message----- >> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf >> Of Dan Harkins >> Sent: Tuesday, December 11, 2012 4:32 PM >> To: Dan Harkins >> Cc: IPsecme WG >> Subject: Re: [IPsec] New draft on IKE Diffie-Hellman checks >> >> >> I made a mistake below. Thanks to Dan Brown for pointing it out. >> >> On Tue, December 11, 2012 10:06 am, Dan Harkins wrote: >> [snip] >> > - I think it should be mentioned that elliptic curve groups >> > have a co-factor, h, and if h > 1 that a further check is >> > also required, namely, if the x- and y-coordinates define >> > a point Q then ensure that: >> > >> > hQ = point-at-infinity >> > >> > Add this check to both 2.3 and 2.4. Of course if h=1 then this >> > check can be skipped. >> >> The check should be hQ != point-at-infinity. An equivalent check >> could be nQ = point-at-infinity where n is the order of the group >> formed by the generator, G. >> > [DB] Well, the hQ != infinity check is insufficient for security, and not > equivalent to ensuring that nQ=infinity. > > Dan, sorry, I did not explain these details in my response to you.
That's interesting. Your paper "Validating EC Public Keys" (Antipa, Brown, Menezes, Struik and Vanstone) says in section 3 that the steps to validate an EC public key, W=(xw, yw), are: 1. W != infinity 2. xw and yw are properly represented elements of the finite field 3. W satisfies the defining equation of the curve; and 4. nW = infinity It then says that "if h=1, then condition 4 is implied by the other three conditions. In some protocols the check that nW = infinity may either be embedded in the protocol computations or replaced by the check that hW != infinity." Can you explain why hQ != infinity is insufficient and not equivalent to nQ = infinity? thanks and best regards, Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
