Hello, There has been a lot of chatter on Gitub about point validation. I think it's important to note that in TLS 1.3 the Triple Handshake variants enabled by small subgroup attacks are no longer a threat: the issue is reuse of ephemeral Diffie-Hellman exponents, resulting in compromise of what is effectively a long-term key.
I would want a belt and suspenders approach: no use of ephemeral exponents, and validation that points are on the curve. Order validation is unnecessary as the cofactor is small: in cases where it is not the curve probably shouldn't be used without a good reason, and I can't think of any. I know one implementation does keep ephemeral exponents indefinitely. This implementation also validates orders, which equals the expense of not regenerating ephemeral exponents. Sincerely, Watson
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls