Showing posts from April, 2017

On testing (EC)DH and (EC)DSA

I found on Twitter an interesting blog post on breaking (EC)DSA and was writing a lengthy comment when some weird combination of keystrokes shutdown my browser and ate my comment, so I thought I'd write a blog post instead.

The post raises an important point, namely that one should always validate domain parameters, but I'm not sure whether the issues it describes can be found in real world applications. I haven't seen any protocol or application in which (EC)DSA signers take domain parameters from some external source. In practice, signers either generate these parameter themselves (e.g., using openssl dsaparam), or pick one of the well-known, standard parameters (e.g.,  named curves in ECDSA).

Also, if Mallory can choose g and if Alice doesn't validate it, infinite loop is the least of Alice's concern, because Mallory might as well choose g such that Alice's private key has small order, and thus can be easily recovered. A corollary to the Sylow theorems shows…