Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [x25519]

Curve25519 is an elliptic curve offering 128 bits of security (256 bits key size) and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme.

The original Curve25519 paper defined it as a Diffie–Hellman (DH) function. Daniel J. Bernstein has since proposed that the name Curve25519 be used for the underlying curve, and the name X25519 for the DH function.

58 questions
23
votes
2 answers

Difference between X25519 vs. Ed25519

I am reading https://en.wikipedia.org/wiki/Curve25519 and it states Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24] I…
ams
  • 701
  • 1
  • 8
  • 14
23
votes
1 answer

Distinguishing x25519 public keys from random?

I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection. I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one…
Jonas
  • 799
  • 6
  • 12
11
votes
1 answer

How does the process of creating a new secure Elliptic Curve look like?

I'm especially curious about the technique djb would have used to come up with his Curve 25519. Say I have already written down my goals, such as - Twist Secure, Speed, Side Channel resistance, etc. In this case, how do I go about creating new…
Cookies
  • 213
  • 1
  • 7
11
votes
2 answers

Summarize the mathematical problem at the heart of breaking a Curve25519 public key

It's pretty easy to generate a Curve25519 private key: generate 32 random bytes of data and then do: e[0] &= 248 e[31] &= 127 e[31] |= 64 You can then generate a public key by doing fancy math on the private key. For example, here's a random…
Kevin Burke
  • 227
  • 2
  • 6
11
votes
1 answer

curve25519 weak points for contributory behaviour

The Diffie-Hellman on curve25519 is usually calculated using the base point $(9,…)$ which induces a cyclic subgroup of $G:=\{\infty\}\cup(E(F_{p^2})\cap(F_p\times F_p))$ with index 8, i.e. there is a prime $p_1$ such that $|G|=8p_1$ and the order of…
Perseids
  • 562
  • 4
  • 13
10
votes
3 answers

Curve 25519 (X25519, Ed25519) Convert coordinates between Montgomery curve and twisted Edwards curve

I have some misunderstanding about EdDSA conversion coordinates between Montgomery curve and twisted Edwards curve. In https://www.rfc-editor.org/rfc/rfc7748 I see that a base point for Curve25519 is Montgomery curve: U(P) 9 V(P) …
sribin
  • 248
  • 2
  • 11
9
votes
2 answers

How many valid X25519 private keys are there?

According to the Curve25519 website: Computing secret keys. Inside your program, to generate a 32-byte Curve25519 secret key, start by generating 32 secret random bytes from a cryptographically safe source: mysecret[0], mysecret[1], ...,…
Ben Zelnick
  • 257
  • 1
  • 7
7
votes
2 answers

Difference on montgomery curve equation between EFD and RFC7748

There is a subtle difference between the 2 implementations for a Montgomery curve defined from the 2 following links https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html A = X2+Z2 AA = A^2 B = X2-Z2 BB = B^2 E =…
Pierre
  • 426
  • 2
  • 8
6
votes
1 answer

Does any $x < p$ satisfy the curve equation of X25519?

I've been reading about the famous X25519, a montgomery curve from wikipedia and in that article they say that we do not have to check for point validity. Is it because that any $x < p$ satisfy the curve equation ? Is this possible for X25519…
Aravind A
  • 1,090
  • 13
  • 22
6
votes
0 answers

Regarding the need to hash the shared secret in X25519 with the public keys

I was looking at the LibSodium documentation where it says [...] and to mitigate subtle attacks due to the fact many $(p, n)$ [public key - secret scalar] pairs produce the same result, using the output of the multiplication $q$ directly as a…
Bob Semple
  • 143
  • 4
6
votes
3 answers

Can Curve25519 shared secret be safely truncated to half its size?

I am planning to use a key agreement mechanism in an application needing ephemeral keys, and Curve25519 looks promising, specifically because it offers 128 bits of security, just fine for AES-128 which is my symmetric cryptographic algorithm of…
juhist
  • 1,643
  • 1
  • 13
  • 18
6
votes
2 answers

"Cropping" the resulting shared secret from ECDH

I'm deriving a shared secret using ECDH with Ed25519 keys. According to the specification (page 5), the shared secret then can be any valid Curve25519 public key, i.e. any valid 32 bytes. My environment is such that I need to map this shared secret…
user80785
5
votes
2 answers

Is using different public keys for different peers safer than reusing the public key, beyond forward secrecy?

In X25519 (ECDH over Curve25519) Peer A and B exchange their Public Keys PkA and PkB and then calculate a shared-secret SecAB using cominationOf(SkA, PkB) == combinationOf(SkB, PkA). For forward secrecy, I think it's recommended for A and B to…
ustulation
  • 195
  • 5
4
votes
1 answer

How does the key agreement process take place in Virgil E3Kit SDK for end to end encryption?

I'm using Virgil E3Kit SDK to implement end-to-end encryption in my App. Their E3Kit SDK is very effective and not too hard to understand, but I still don't understand how does the key agreement process take pace in Virgil E3Kit SDK. The workflow…
Việt Dũng Lê
  • 141
  • 1
4
votes
1 answer

Distinguishing EC Public Key from random

I recently read the post Distinguishing x25519 public keys from random? and found myself wondering why, for a randomly chosen x, the result of the function $$x^3+ax^2+x$$ is a square in 50% of cases and not in the other 50%. I understand that in a…
Safari1811
  • 95
  • 3
1
2 3 4