diff --git a/keyserver/src/responders/user-responders.js b/keyserver/src/responders/user-responders.js
--- a/keyserver/src/responders/user-responders.js
+++ b/keyserver/src/responders/user-responders.js
@@ -41,6 +41,10 @@
   SubscriptionUpdateResponse,
 } from 'lib/types/subscription-types.js';
 import type { PasswordUpdate } from 'lib/types/user-types.js';
+import {
+  identityKeysBlobValidator,
+  signedIdentityKeysBlobValidator,
+} from 'lib/utils/crypto-utils.js';
 import { ServerError } from 'lib/utils/errors.js';
 import { values } from 'lib/utils/objects.js';
 import { promiseAll } from 'lib/utils/promises.js';
@@ -195,11 +199,6 @@
   deviceToken: t.String,
 });
 
-const signedIdentityKeysBlobValidator = tShape({
-  payload: t.String,
-  signature: t.String,
-});
-
 const registerRequestInputValidator = tShape({
   username: t.String,
   email: t.maybe(tEmail),
@@ -224,6 +223,9 @@
     const identityKeys: IdentityKeysBlob = JSON.parse(
       signedIdentityKeysBlob.payload,
     );
+    if (!identityKeysBlobValidator.is(identityKeys)) {
+      throw new ServerError('invalid_identity_keys_blob');
+    }
 
     const olmUtil: OLMUtility = getOLMUtility();
     try {
@@ -520,6 +522,10 @@
   let identityKeys: ?IdentityKeysBlob;
   if (signedIdentityKeysBlob) {
     identityKeys = JSON.parse(signedIdentityKeysBlob.payload);
+    if (!identityKeysBlobValidator.is(identityKeys)) {
+      throw new ServerError('invalid_identity_keys_blob');
+    }
+
     const olmUtil: OLMUtility = getOLMUtility();
     try {
       olmUtil.ed25519_verify(
diff --git a/lib/utils/crypto-utils.js b/lib/utils/crypto-utils.js
--- a/lib/utils/crypto-utils.js
+++ b/lib/utils/crypto-utils.js
@@ -1,5 +1,30 @@
 // @flow
 
+import t from 'tcomb';
+import { type TInterface } from 'tcomb';
+
+import { primaryIdentityPublicKeyRegex } from './siwe-utils.js';
+import { tRegex, tShape } from './validation-utils.js';
+
 const minimumOneTimeKeysRequired = 10;
 
-export { minimumOneTimeKeysRequired };
+const signedIdentityKeysBlobValidator: TInterface = tShape({
+  payload: t.String,
+  signature: t.String,
+});
+
+const olmIdentityKeysValidator: TInterface = tShape({
+  ed25519: tRegex(primaryIdentityPublicKeyRegex),
+  curve25519: tRegex(primaryIdentityPublicKeyRegex),
+});
+
+const identityKeysBlobValidator: TInterface = tShape({
+  primaryIdentityPublicKeys: olmIdentityKeysValidator,
+  notificationIdentityPublicKeys: olmIdentityKeysValidator,
+});
+
+export {
+  minimumOneTimeKeysRequired,
+  signedIdentityKeysBlobValidator,
+  identityKeysBlobValidator,
+};