[openssl-users] X25519 - why openssl shows server temp key as 253 bits?
rgm at htt-consult.com
Tue Sep 4 14:24:51 UTC 2018
My source is Dr. Lange at the IETF meeting in Toronto when the IETF
A curve point needs an x and a y. But do you need the y for the
computation. Do you only need its sign? I don't know. I am not a
I may have misunderstood her at the time.
On 09/04/2018 10:19 AM, Jakob Bohm wrote:
> On 04/09/2018 15:43, Robert Moskowitz wrote:
>> And I seem to recall that one bit is for compact representation. That
>> is, is y positive or negative. With p256, you have to transmit x and
>> y or deal with the compact representation patent.
> Not sure if this applies do X25519 and Ed255 which use different
> techniques than the traditional curves.
> Those two are also intended to avoid data-dependent if() statements
> (because of side channel attacks), but remain vulnerable on CPUs
> where division or multiplication instructions have data-dependent
> time and/or power consumption (which is unfortunately most of the
> common ones).
>> On 09/04/2018 08:00 AM, Kyle Hamilton wrote:
>>> Probably because the definition of X25519 requires that bits 0, 1,
>>> and 2 of the first byte of the private key are set to 0 before being
>>> used, and OpenSSL counts the number of bits including the
>>> highest-order set bit. (Really, there's an additional 2 bits that
>>> are also set to known values: bit 6 of the last byte is set, and bit
>>> 7 of the last byte is cleared. In my view, this actually reduces
>>> the necessary brute-force search space from 256 bits to 251 bits.
>>> However, literally any 32-byte string can be used as a public key.
>>> Apparently, djb views this as sufficient to call it a 256-bit
>>> strength function.)
>>> For the specification, please see the subsection entitled
>>> "Responsibilities of the User" in section 3 of
>>> https://cr.yp.to/ecdh/curve25519-20060209.pdf .
>>> -Kyle H
>>> On Mon, Sep 3, 2018, 22:29 M K Saravanan <mksarav at gmail.com
>>> <mailto:mksarav at gmail.com>> wrote:
>>> When using openssl with X25519, why it shows the server temp key
>>> as 253 bits?
>>> No client certificate CA names sent
>>> Peer signing digest: SHA256
>>> Peer signature type: RSA
>>> Server Temp Key: X25519, 253 bits
>>> I thought Curve25519 is using 256 bit keys.
>>> Why 253 instead of 256?
>>> with regards,
More information about the openssl-users