I was looking at the LibSodium documentation where it says
[...] and to mitigate subtle attacks due to the fact many $(p, n)$ [public key - secret scalar] pairs produce the same result, using the output of the multiplication $q$ directly as a shared key is not recommended.
A better way to compute a shared key is $h(q \mathbin\| pk1 \mathbin\| pk2)$, with $pk1$ and $pk2$ being the public keys.
My questions are as follows:
- What is the chance for two $(p, n)$ pairs to produce the same result? (is it for example worse than the chance of two 252-bit random numbers being equal?)
- What are the subtle attacks mentioned and how does $h(q \mathbin\| pk1 \mathbin\| pk2)$ defend against them?
I noticed that NaCl in crypto_box/curve25519xsalsa20poly1305/ref/before.c simply hashes the secret without the public keys. So I presume that not following said advice can't be that bad.
