[some_furry]

> a malicious end user can not determine if there was a crypto error and, specifically, how long that crypto error took to happen

That sounds interesting. I'd like to test this hypothesis sometime ;)

> We also have similar safety models for things like invalid curve attacks.

What is your defense against invalid curve attacks exactly? I'm very curious about that (although your target audience largely won't care, so this post probably doesn't need to be updated).

Two defenses that work:

1. Always check that the (x, y) coordinate is a solution for the curve equation

2. Use compressed public key points

I prefer option 2 (especially since the patent on point compression expired years ago), but option 1 works.

[arcurn]

> That sounds interesting. I'd like to test this hypothesis sometime ;)

That sounds great! Feel free to shoot me an email on shane@evervault.com if you'd like to get further into the weeds :)

Our main defence against invalid curves is compressed public key points. It's not often that security mitigations also give some other nice advantages (smaller public keys!), but for this scenario it made total sense.

[some_furry]

> Our main defence against invalid curves is compressed public key points.

This is the point in Slack when I usually reply with a sparkly heart emoji.

I'll get in touch sometime. This is a busy month for me so I won't have a lot of spare cycles, but if I catch a break it might be fun to test. :D

[adamisntdead]

I'm surprised that something like point compression can even be patented, considering that it's relatively straightforward mathematically (all of the difficulty seems to lie in the number theory to compute a solution, which I assume wasn't invented by whoever owned the patent)...

[some_furry]

Cryptography patents are, on some level, stupid. It's all math.