On 02/06/2024 22:02, Filippo Valsorda wrote:
Third, we learned to make key shares always ephemeral which makes
invalid curve attacks irrelevant.
Although using ephemeral keys does effectively prevent key recovery
through invalid points, you can still use invalid points to perform
confinement attacks on an otherwise prime order curve.
This was used by Eli Biham and Lior Neumann to break Bluetooth pairing
standard back in 2018 [1]. The Bluetooth standard previously said
implementers could choose to do full point validation or always use
ephemeral keys, and folks opted for the less complex choice. This isn't
a clear separator between X25519 and P-256 though, since X25519 would
also need to reject small order points in order to avoid the same attack.
Best,
Dennis
[1]
https://biham.cs.technion.ac.il/BT/bt-fixed-coordinate-invalid-curve-attack.pdf
(Also summarized in 7.2 of Prime Order Please
https://eprint.iacr.org/2019/526.pdf)
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
