The microblog: 2021.05.03 13:21:44

2021.05.03 13:21:44 (1389178354859798530) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389172012665516037):

One of the ways ECDH has improved over the years is moving to curves+encodings where this KEM (and, more broadly, ECDH NIKE) is secure _without_ any checks for invalid points. Also, hashed DH doesn't need a gap assumption except for writing theory papers. Pairings don't break it.


2021.05.03 12:56:32 (1389172012665516037) from "Luca De Feo (@luca_defeo)":

2. Even if you don't care about assumptions, you must test for group membership to protect against invalid point attacks. This requires constant-time comparisons, which are as easy to botch as they were in the SIKE code. I really don't see a difference between ECC and SIKE here.