Wait, no, they absolutely are using JWT for no reason at all.
-
-
If you care about fault injection attacks then I don't know that any variant of Ed25519 is good to use, because Ed25519 is usually implemented using x-coordinate only multiplication so you can't verify that the result is on the curve. (IDK if that's necessary or sufficient yet.)
-
What? Ed25519 points are encoded using the (affine) y coordinate, and most implementations (including yours) uses the extended coordinates of Hisil, Wong, Carter, and Dawson, not Montgomery x-line arithmetic.
-
Is this the normal way it's done? I thought it was normal to try to implement x25519 and then implement Ed25519 as a hack on top of it. If the hacky way isn't normal then it's probably less of a concern.
-
How would one do that? AFAIK for signing you can't use x-only Montgomery arithmetic because encoded Ed25519 points specify a single point, not a pair of points; and for verification, you can't use a differential addition formula with Shamir's trick.
-
+1 to what
@bmastenbrook said.@BRIAN_____, people usually convert public keys from X25519 to Ed25519, to use a single key pair for both encryption and signature (I never am comfortable with this idea) -
OK, let's jump ahead to the thing I want to verify: For these kinds of fault attacks, what is the value of checking that the result is on the curve? If the bit flipping is actually modifying the private key scalar itself then it doesn't help AFAICT, but how about otherwise?
-
EdDSA signing requires two scalar mults, one to compute the public key (which can be cached) and another to compute R. If adversary can cause any faults in these computations, and also learn the correct value of the public key or R, they can compute the private key
-
Point-on-curve check can detect certain faults, but it doesn't help if the adversary can actually flip a single bit of any scalar
- 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.