<p dir="ltr">On 22 Feb 2016 6:51 pm, "Van Gegel" <<a href="mailto:torfone@ukr.net">torfone@ukr.net</a>> wrote:<br>
><br>
> For example, an attacker must obtain a specified 32-bit SAS (for MitM). He receive a 224-bit key and then must send your 224-bit, and then receiveĀ remaining 32 bits and must send remaining 32 bits. Can the attacker pick your key effectively to solve the problem in polinomal time?</p>
<p dir="ltr">You are effectively asking if an attacker can generate many 256bit public keys with the same 224bit prefix (and know the private key for them). The answer is "probably", I don't believe there is a quick way of doing it - but as the attacker can pick the first 224 bits they can probably find some class of points that speeds the search up.</p>
<p dir="ltr">(the attacker won't have a 100% chance for the attack, as there aren't 2^32 valid points in that space)</p>
<p dir="ltr">Just use the existing methods and then you don't need to worry about hypotheticals like the above.</p>