[openssl-users] X25519 - why openssl shows server temp key as 253 bits?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Sep 4 14:50:53 UTC 2018
With curve25519, the scalar multiplication function:
(x, y) -> n * (x, y) = (x', y') -> x'
has the property that for valid points on the extended curve (degree
two extension of F(p) that gives a y for every x in F(p)), x' depends
only on x, and can be effectively computed from x alone, and this can
be done for all x in F(p) since all "x" values are either on the curve
or its "twist". Therefore, the X25519 key agreement protocol only
uses the x-coordinate.
IIRC, Ed25519 signatures do require a y-coordinate sign, and so the
signature representation is not x-only.
> On Sep 4, 2018, at 10:24 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
> My source is Dr. Lange at the IETF meeting in Toronto when the IETF selected EC25519.
>
> A curve point needs an x and a y. But do you need the y for the computation. Do you only need its sign? I don't know. I am not a mathematician.
--
Viktor.
More information about the openssl-users
mailing list