Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/ed25519: reject low order points #31846
Rejecting low order points is not strictly necessary, but it helps root out behaviors that can come unexpected to protocol designers (like non-contributory DH, or signature:message:key not being 1:1:1). libsodium already does indiscriminately, and we should too.
This was suggested by Cas Cremers and Dennis Jackson as part of their upcoming work on revisiting small subgroup and invalid curve attacks.
The RFC recommends checking the X25519 output to ensure it's not the zero value, to guard against peers trying to remove contributory behavior. In TLS there should be enough transcript involvement to mitigate any attack, and the RSA key exchange would suffer from the same issues by design, so not proposing a backport. See #31846 Change-Id: I8e657f8ee8aa72c3f8ca3b124555202638c53f5e Reviewed-on: https://go-review.googlesource.com/c/go/+/183039 Run-TryBot: Filippo Valsorda <firstname.lastname@example.org> TryBot-Result: Gobot Gobot <email@example.com> Reviewed-by: Adam Langley <firstname.lastname@example.org>