[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)
gniibe at fsij.org
Sat Jul 25 05:08:24 CEST 2015
On 07/24/2015 11:46 PM, Werner Koch wrote:
> What about
> because it is a tweak in the little endian representation. Yeah, I know
> that it sounds like "let weak" ;-)
I feel that "twist" is a bit confusing, because we also use the term
"twist" for curves. tweak would be better.
I think that it's not specific to little endian. Last year, when I
tested Curve25519, the key (secret and public) was in big endian
For cofactor multiplied secret key, I refer the site:
SafeCurves: choosing safe curves for elliptic-curve cryptography
In the section: Background: small-subgroup attacks,
A protocol designer can protect against this type of attack for
any curve by specifying n=hs.
Here, h is the cofactor, n is the secret key, and I think that s is
For secret key with MSB=1, its obvious that it's against timing
attack. Since it's so obvious, I don't have good reference. Here is
an explanation I found in Q&A site:
When using Curve25519, why does the private key always have a fixed bit at 2^254?
(As I said yesterday, this can be applied to computation with other
Yes, the practice of secret key is a tweak against such attacks.
More information about the Gcrypt-devel