Peter Gutmann writes: > compressed points are patented Which patent are you referring to?
US 6141420, I suppose. Let's ignore the question of what's in the prior art (1992 Harper--Menezes--Vanstone) and what's actually claimed in the patent. Are you aware that this patent expired in July 2014? > Everything uses uncompressed points at the moment without any problems The same way that everyone uses C and C++ without any problems? https://www.nds.rub.de/research/publications/ESORICS15/ completely broke two implementations of uncompressed (x,y) ECDH in TLS. The problem, of course, is that the implementors forgot to check that the input (x,y) was on the curve. OpenSSL _does_ try to check, but it seems that this check is sometimes affected by recently announced bugs in OpenSSL's carry handling. The impact isn't clear---analyzing this sort of thing is very difficult. Using compressed (x,y) significantly reduces the amount of rarely tested checking code for the implementor to screw up. More importantly, there's a third option (introduced in Miller's original ECC paper), namely using just x-coordinates. Section 4.1 of https://cr.yp.to/papers.html#nistecc explains how X25519 uses this third option to proactively and robustly avoid this type of attack. ---Dan _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls