Re: [Cfrg] Point validation in TLS 1.3

Dan Brown <> Wed, 30 November 2016 18:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E19A129955 for <>; Wed, 30 Nov 2016 10:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.617
X-Spam-Status: No, score=-3.617 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FxoyC5qR7kjr for <>; Wed, 30 Nov 2016 10:19:24 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E012129957 for <>; Wed, 30 Nov 2016 10:19:23 -0800 (PST)
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Nov 2016 13:19:22 -0500
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0319.002; Wed, 30 Nov 2016 13:19:21 -0500
From: Dan Brown <>
To: "Paterson, Kenny" <>, Eric Rescorla <>, cfrg <>
Thread-Topic: [Cfrg] Point validation in TLS 1.3
Thread-Index: AQHSSpN+d4V6YFhL4UqVQs5gYMy5+aDxuAiAgAAOQZA=
Date: Wed, 30 Nov 2016 18:19:21 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US, en-CA
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] Point validation in TLS 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Nov 2016 18:19:26 -0000

Hi Eric and Kenny,

Please consider adding a MAY for the redundant ("belts and suspenders") combination of point validation and Montgomery ladder (X25519).
Significant costs of this redundant combination are its being approximately 10% slower in each DH computation and its extra code.

A small benefit of this redundant combination is its being potentially minutely securer (see * below). 

A user or an implementer should only want this combination when the extra cost is somehow negligible (for example, in comparison to other large costs) because the benefits are likely close to negligible.

The user and implementer should be well-informed to make a useful decision.  The work of preparing a clear guidance in the RFC on cost (significant) and benefits (insignificant) might outweigh the benefit of having a MAY in the RFC.

Best regards,


(*) Here's how I think (for now) that directly rejecting twist-points on top of X25519 might minutely improve security:

- a denial of service attack consisting of just sending random strings as points is better resisted, 
- a user of the implementation can be more confident that something fishy doesn't happen if twisted points are received (the user can delay inspecting the internal of the implementation and just examine its behavior),
- validation is to be done on the public inputs received, before any secrets are used, which is generally safer (more robust against implementation bugs).

Again, the gain in all cases is small (at best) because each threat thwarted can be tweaked easily to work around to the countermeasure.

-----Original Message-----
From: Cfrg [] On Behalf Of Paterson, Kenny
Sent: Wednesday, November 30, 2016 6:27 AM
To: Eric Rescorla <>; cfrg <>
Subject: Re: [Cfrg] Point validation in TLS 1.3

Hi Eric,

Thanks for giving CFRG the chance to comment on this.

>From a technical perspective, this looks like an accurate translation of existing best practice to me.

Any other comments from the group?



On 29/11/2016 22:52, "Cfrg on behalf of Eric Rescorla"
< on behalf of> wrote:

>Hi CFRG folks,
>Matt Green has submitted a pull request to require validation for ECDHE 
>(TLS 1.3 already requires it for FFDHE). We wanted to make sure the 
>CFRG was
>aware of this and see if there were objections.
>PR is here:
>For the curves secp256r1, secp384r1 and secp521r1, the appropriate 
>validation procedures are defined in Section 4.3.7 of {{X962}} and 
>alternatively in Section of {{KEYAGREEMENT}}.  This process 
>consists of three steps: (1) verify that Y is not the point at infinity 
>(O), (2) verify that for Y = (x, y) both integers are in the correct 
>interval, (3) ensure that (x, y) is a correct solution to the elliptic 
>curve equation.  For these curves, implementers do not need to verify 
>membership in the correct subgroup.
>For x25519 and x448, the contents of the public value are the byte 
>string inputs and outputs of the corresponding functions defined in 
>{{RFC7748}}, 32 bytes for x25519 and 56 bytes for x448. Peers SHOULD 
>use the approach specified in {{RFC7748}} to calculate the 
>Diffie-Hellman shared secret, and MUST check whether the computed 
>Diffie-Hellman shared secret is the all-zero value and abort if so, as 
>described in Section 6 of {{RFC7748}}. If implementers use an 
>alternative implementation of these elliptic curves, they should 
>perform the additional checks specified in Section 7 of {{RFC7748}}.
>Thanks in advance for your input,

Cfrg mailing list