On 02/01/2014 04:57 AM, Jon Callas wrote:
Of those two, I vote for (1). There's no real value in the compression, it's an
observation. And the reason there's little value in compression is the same
reason that there's little harm in just putting the point there and don't worry
about leading zeroes.
One positive side effect of using compression is that de-compression
implies a validated point.
In some uses of OpenPGP protocol it may be necessary to validate that
the ephemeral public key of ECDH lies on the curve and not on some
specially selected curve with points of low order.
See "Validation of Elliptic Curve Public Keys" sec
4.2 Invalid-Curve Attack on ECIES (that applies to ECDH as well).
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp