On 22 Feb 2016 6:51 pm, "Van Gegel" <<a href="mailto:torfone@ukr.net">torfone@ukr.net</a>> wrote: > > For example, an attacker must obtain a specified 32-bit SAS (for MitM). He receive a 224-bit key and then must send your 224-bit, and then receive remaining 32 bits and must send remaining 32 bits. Can the attacker pick your key effectively to solve the problem in polinomal time? You are effectively asking if an attacker can generate many 256bit public keys with the same 224bit prefix (and know the private key for them). The answer is "probably", I don't believe there is a quick way of doing it - but as the attacker can pick the first 224 bits they can probably find some class of points that speeds the search up. (the attacker won't have a 100% chance for the attack, as there aren't 2^32 valid points in that space) Just use the existing methods and then you don't need to worry about hypotheticals like the above.