[curves] Climbing the elliptic learning curve (was: Re: Finalizing XEdDSA)

Antonio Sanso asanso at adobe.com
Tue Jan 31 02:32:43 PST 2017

Thanks a lot guys,

I have tried the sage formula from Mike and worked like a charm. 
I got less luck with the approach from Trevor (but hey, is for sure my fault).
Of course even if I was able to calculate an equivalent public key there is no chance I can retrieve the associate 
private key (of course this would be like breaking DH, right?).

Said that, last silly question on the topic is:

in which situation not checking for the “right” public key can be a problem?
Trevor mentioned already one situation, but I fail to see without the knowledge 
of the associated private key, where this could be an harm….

Thanks a lot and regards


On Jan 30, 2017, at 11:02 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Mon, Jan 30, 2017 at 1:48 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>> On Jan 30, 2017, at 12:41 PM, Antonio Sanso <asanso at adobe.com> wrote:
>> On Nov 7, 2016, at 12:51 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> However, cofactor>1 can still have subtle and unexpected effects, e.g.
>> see security considerations about "equivalent" public keys in RFC
>> 7748, which is relevant to the cofactor multiplication "cV" in
>> VXEdDSA, or including DH public keys into "AD" in Signal's (recently
>> published) X3DH [3].
>> may you shed some more light about this?
>> What is the algorithm to find and “equivalent” public key?
> [...]
>> Second, two x’s are equivalent if they differ by a c-torsion point.  This is
>> because the X25519 Diffie-Hellman key exchange algorithm is computing
>> c*secret*P, which is the same as c*secret*(P+T) for points T such that c*T
>> is the identity.  Another way to describe these equivalent keys is that
>> they’re the x-coordinates of points Q such that c*Q = c*P.
> I'll describe the same thing, but maybe this is simpler wording:
> For X25519, just add a point of low order (i.e. order=2, 4, or 8) onto
> an X25519 public key.  Because X25519 private keys are multiples of
> the cofactor (8), the added point won't change DH results.
> I.e. for public key A, some private key b, and low-order point L:
> b(A+L) = bA + bL = bA
> Trevor

More information about the Curves mailing list