[openssl-users] X25519 - why openssl shows server temp key as 253 bits?
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 4 14:31:42 UTC 2018
On 04/09/2018 16:24, Robert Moskowitz wrote:
> My source is Dr. Lange at the IETF meeting in Toronto when the IETF
> selected EC25519.
>
> A curve point needs an x and a y. But do you need the y for the
> computation. Do you only need its sign? I don't know. I am not a
> mathematician.
>
> I may have misunderstood her at the time.
Ok, she (if anyone) should know.
I expect the papers, sample code etc. by Bernstein, Lange et al to
provide all the details of this.
>
> On 09/04/2018 10:19 AM, Jakob Bohm wrote:
>> On 04/09/2018 15:43, Robert Moskowitz wrote:
>>> And I seem to recall that one bit is for compact representation. That
>>> is, is y positive or negative. With p256, you have to transmit x and
>>> y or deal with the compact representation patent.
>>>
>> Not sure if this applies do X25519 and Ed255 which use different
>> techniques than the traditional curves.
>>
>> Those two are also intended to avoid data-dependent if() statements
>> (because of side channel attacks), but remain vulnerable on CPUs
>> where division or multiplication instructions have data-dependent
>> time and/or power consumption (which is unfortunately most of the
>> common ones).
>>
>>> On 09/04/2018 08:00 AM, Kyle Hamilton wrote:
>>>> Probably because the definition of X25519 requires that bits 0, 1,
>>>> and 2 of the first byte of the private key are set to 0 before being
>>>> used, and OpenSSL counts the number of bits including the
>>>> highest-order set bit. (Really, there's an additional 2 bits that
>>>> are also set to known values: bit 6 of the last byte is set, and bit
>>>> 7 of the last byte is cleared. In my view, this actually reduces
>>>> the necessary brute-force search space from 256 bits to 251 bits.
>>>> However, literally any 32-byte string can be used as a public key.
>>>> Apparently, djb views this as sufficient to call it a 256-bit
>>>> strength function.)
>>>>
>>>> For the specification, please see the subsection entitled
>>>> "Responsibilities of the User" in section 3 of
>>>> https://cr.yp.to/ecdh/curve25519-20060209.pdf .
>>>>
>>>> -Kyle H
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Sep 3, 2018, 22:29 M K Saravanan <mksarav at gmail.com
>>>> <mailto:mksarav at gmail.com>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> When using openssl with X25519, why it shows the server temp key
>>>> as 253 bits?
>>>>
>>>> Example:
>>>>
>>>> ---
>>>> No client certificate CA names sent
>>>> Peer signing digest: SHA256
>>>> Peer signature type: RSA
>>>> Server Temp Key: X25519, 253 bits
>>>> ---
>>>>
>>>> I thought Curve25519 is using 256 bit keys.
>>>>
>>>> Why 253 instead of 256?
>>>>
>>>> with regards,
>>>> Saravanan
>>>>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list