[openssl-users] X25519 - why openssl shows server temp key as 253 bits?

Robert Moskowitz rgm at htt-consult.com
Tue Sep 4 14:24:51 UTC 2018 

My source is Dr. Lange at the IETF meeting in Toronto when the IETF 
selected EC25519.

A curve point needs an x and a y.  But do you need the y for the 
computation.  Do you only need its sign?  I don't know.  I am not a 
mathematician.

I may have misunderstood her at the time.

On 09/04/2018 10:19 AM, Jakob Bohm wrote:
> On 04/09/2018 15:43, Robert Moskowitz wrote:
>> And I seem to recall that one bit is for compact representation. That 
>> is, is y positive or negative. With p256, you have to transmit x and 
>> y or deal with the compact representation patent.
>>
> Not sure if this applies do X25519 and Ed255 which use different
> techniques than the traditional curves.
>
> Those two are also intended to avoid data-dependent if() statements
> (because of side channel attacks), but remain vulnerable on CPUs
> where division or multiplication instructions have data-dependent
> time and/or power consumption (which is unfortunately most of the
> common ones).
>
>> On 09/04/2018 08:00 AM, Kyle Hamilton wrote:
>>> Probably because the definition of X25519 requires that bits 0, 1, 
>>> and 2 of the first byte of the private key are set to 0 before being 
>>> used, and OpenSSL counts the number of bits including the 
>>> highest-order set bit. (Really, there's an additional 2 bits that 
>>> are also set to known values: bit 6 of the last byte is set, and bit 
>>> 7 of the last byte is cleared.  In my view, this actually reduces 
>>> the necessary brute-force search space from 256 bits to 251 bits. 
>>> However, literally any 32-byte string can be used as a public key.  
>>> Apparently, djb views this as sufficient to call it a 256-bit 
>>> strength function.)
>>>
>>> For the specification, please see the subsection entitled 
>>> "Responsibilities of the User" in section 3 of 
>>> https://cr.yp.to/ecdh/curve25519-20060209.pdf .
>>>
>>> -Kyle H
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Sep 3, 2018, 22:29 M K Saravanan <mksarav at gmail.com 
>>> <mailto:mksarav at gmail.com>> wrote:
>>>
>>>     Hi,
>>>
>>>     When using openssl with X25519, why it shows the server temp key
>>>     as 253 bits?
>>>
>>>     Example:
>>>
>>>     ---
>>>     No client certificate CA names sent
>>>     Peer signing digest: SHA256
>>>     Peer signature type: RSA
>>>     Server Temp Key: X25519, 253 bits
>>>     ---
>>>
>>>     I thought Curve25519 is using 256 bit keys.
>>>
>>>     Why 253 instead of 256?
>>>
>>>     with regards,
>>>     Saravanan
>>>
>
> Enjoy
>
> Jakob

More information about the openssl-users mailing list