Montgomery curves are currently supported in elliptic/ec, and usage gets passed to derive here. There's even a test for it.
However, Curve25519 ECDH as defined in RFC 7748 is not the same as doing generic ECDH on a Montgomery curve. Namely, the standard ECDH operations are:
- Missing clamping for Montgomery curves. This makes X25519/X448 non-compliant,
- Missing subgroup/order checks,
- Missing all-zero rejection.
The RFC goes into detail of the required clamping here.
The RFC goes into optional all-zero and subgroup/order checks such as here
My understanding is that we're safe from twist attacks, but the code does not prevent low-order/subgroup attacks on Montgomery curves. It seems to me that mont curves should be completely disallowed; or the proper clamping (and optional other checks) be integrated. WDYT?
Montgomery curves are currently supported in elliptic/ec, and usage gets passed to derive here. There's even a test for it.
However, Curve25519 ECDH as defined in RFC 7748 is not the same as doing generic ECDH on a Montgomery curve. Namely, the standard ECDH operations are:
The RFC goes into detail of the required clamping here.
The RFC goes into optional all-zero and subgroup/order checks such as here
My understanding is that we're safe from twist attacks, but the code does not prevent low-order/subgroup attacks on Montgomery curves. It seems to me that mont curves should be completely disallowed; or the proper clamping (and optional other checks) be integrated. WDYT?