Re: [Cfrg] invalid compressed point attack ...

[Dan Brown <dbrown@certicom.com>]

By invalid decompression, I meant skipping the check on the correctness‎ of y^2==z, which is as bad and as silly as skipping the check y^2==x^3+ax+b in an uncompressed invalid-point attack, and actually the same check. 

Yes, checking y^2==z stops the‎ attack for sure.

Anyway , i'm seeing the skipped check as nearly equally natural in both cases, and apparently there's even some of incentive to skip these checks called "simplicity "...

Best regards, 

-- Dan
  Original Message  
From: David Jacobson
Sent: Thursday, November 27, 2014 10:38 PM
To: Dan Brown; 'watsonbladd@gmail.com'
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] invalid compressed point attack ...

On 11/27/14, 10:33 AM, Dan Brown wrote:
> Definitions: A compressed point (x,z) is invalid if it is not the compression
> of a valid uncompressed point.
> We can technically define an invalid point attack for compression by
> specifying an invalid decompression rule for invalid compressed points.
> For example, in prime fields of size p = 3 mod 4, the function z |->
> z^((p+1)/4) can be used to decompress invalid compressed points, in the place
> where actual square root algorithm is used to decompress a valid compressed
> point.
>
> To me, this invalid decompression rule seems as plausible an implementation
> fault as the fault of not checking for curve membership of an uncompressed
> point.
You seem to be saying that using y = z^((p+1)/4) where z is computed 
from x using the curve equation, i.e. for short Weierstrass z = x^2 + a 
* x + b, is not a valid way of computing a valid (x,y) on the curve. 
Well, of course, it is possible that z is not a quadratic residue. But 
if you check that y^2 == z, is it still unsafe?

Thank you,

--David

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org‎
http://www.irtf.org/mailman/listinfo/cfrg