Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?

Martin Thomson <> Tue, 22 December 2015 23:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 412DB1A92ED for <>; Tue, 22 Dec 2015 15:16:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b2NIB2I-LNI6 for <>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1564F1A92BA for <>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
Received: by with SMTP id jw2so68117442igc.1 for <>; Tue, 22 Dec 2015 15:16:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=53LcV2JUnM/LXL7dPWm0CY2Q1lP3U8q+dCwGG4i/F6I=; b=ChgKIrLymlcMUs+WcfMYZCq/EYK8EyClkzrlx/QNmE60ObUhVfcyxdaEWCmZ4ufpqk G1Q/Sy4INZvSkwA/V+YjFnQoGy67h9jkh0jr1qs9hbHcLN/50ynzLqfs0DP+rNm+rBJi GYDUalShnTcwe/xYJBgg90pyoyeapCNaWRo0J1d7wOiV8Hd7HPwmovU4pgVzIH/dUeM5 aZC5NHTOXqvDucJC3JoDjJh0LDvtCsb0cbHksxY1RkQMZ3lxbKinkFMxDUmq7OtLOxq9 U+J3o3Kqc+PGqbxodYogjZLSQ/hQXbQ1P+rSzdtB1FrspMPzZhl8G9TfqSLpuPPVZ5Zj YruA==
MIME-Version: 1.0
X-Received: by with SMTP id sa10mr6200049igb.77.1450826207501; Tue, 22 Dec 2015 15:16:47 -0800 (PST)
Received: by with HTTP; Tue, 22 Dec 2015 15:16:47 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 23 Dec 2015 10:16:47 +1100
Message-ID: <>
From: Martin Thomson <>
To: Watson Ladd <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Dec 2015 23:16:49 -0000

On 23 December 2015 at 08:51, Watson Ladd <> wrote:
> Textbook DH does not ensure contributory behavior. Applications don't
> implement the required checks for poorly designed protocols. If we insert
> checks, applications which fail to make those checks will be vulnerable,
> while fixing protocols closes the hole.

I've done a fair bit of reading into this issue as well, finding
Thai's blog posting and a few other things.  As Watson says, the
protocol can be designed so that it doesn't depend on the DH exchange
providing contributory behaviour.  We should definitely do that either

I understand that the checks are considered onerous by some, but I
still don't understand why anyone might refuse to do them.  Checking
that you don't get a bad output from the DH computation is a tiny
piece of code that takes almost no time at all, even if you have to
worry about doing it in constant time.