[openssl-users] X25519 - why openssl shows server temp key as 253 bits?
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 4 14:19:25 UTC 2018
On 04/09/2018 15:43, Robert Moskowitz wrote:
> And I seem to recall that one bit is for compact representation. That
> is, is y positive or negative. With p256, you have to transmit x and
> y or deal with the compact representation patent.
>
Not sure if this applies do X25519 and Ed255 which use different
techniques than the traditional curves.
Those two are also intended to avoid data-dependent if() statements
(because of side channel attacks), but remain vulnerable on CPUs
where division or multiplication instructions have data-dependent
time and/or power consumption (which is unfortunately most of the
common ones).
> On 09/04/2018 08:00 AM, Kyle Hamilton wrote:
>> Probably because the definition of X25519 requires that bits 0, 1,
>> and 2 of the first byte of the private key are set to 0 before being
>> used, and OpenSSL counts the number of bits including the
>> highest-order set bit. (Really, there's an additional 2 bits that are
>> also set to known values: bit 6 of the last byte is set, and bit 7 of
>> the last byte is cleared. In my view, this actually reduces the
>> necessary brute-force search space from 256 bits to 251 bits.
>> However, literally any 32-byte string can be used as a public key.
>> Apparently, djb views this as sufficient to call it a 256-bit
>> strength function.)
>>
>> For the specification, please see the subsection entitled
>> "Responsibilities of the User" in section 3 of
>> https://cr.yp.to/ecdh/curve25519-20060209.pdf .
>>
>> -Kyle H
>>
>>
>>
>>
>>
>> On Mon, Sep 3, 2018, 22:29 M K Saravanan <mksarav at gmail.com
>> <mailto:mksarav at gmail.com>> wrote:
>>
>> Hi,
>>
>> When using openssl with X25519, why it shows the server temp key
>> as 253 bits?
>>
>> Example:
>>
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA256
>> Peer signature type: RSA
>> Server Temp Key: X25519, 253 bits
>> ---
>>
>> I thought Curve25519 is using 256 bit keys.
>>
>> Why 253 instead of 256?
>>
>> with regards,
>> Saravanan
>>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list