On Tue, Nov 15, 2016 at 05:02:24PM +0900, Yoav Nir wrote: > I think the performance enhancement (in terms of handshakes per second) > that you get by reusing ephemeral keys is so great, that we have to > assume people will do it. You don’t have to keep the keys indefinitely. > It’s fine to generate a new key every second or ten seconds or so. > > Which makes running the point validation all the more important.
There's two main reasons for point validation: 1) Preventing leaking of the secret exponent. 2) Preventing key collisions from low-order points. TLS 1.3 isn't vulernable to 2) like TLS 1.2 and below are (without EMS). X25519/X448 have been explicitly designed to resist 1). If you want to prevent using low-order points for some reason, there is a handy trick: Check if the output of X25519/X448 is all zeroes or not, and abort if it is. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
