[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)

NIIBE Yutaka gniibe at fsij.org
Sat Jul 25 05:08:24 CEST 2015

On 07/24/2015 11:46 PM, Werner Koch wrote:
> What about
>   le-tweak
> because it is a tweak in the little endian representation.  Yeah, I know
> that it sounds like "let weak" ;-)
> Or
>   le-twist
>   le-highbit
>   le-msb
>   twistle

I feel that "twist" is a bit confusing, because we also use the term
"twist" for curves.  tweak would be better.

I think that it's not specific to little endian.  Last year, when I
tested Curve25519, the key (secret and public) was in big endian

For cofactor multiplied secret key, I refer the site:

    SafeCurves: choosing safe curves for elliptic-curve cryptography
    Twist security

    In the section: Background: small-subgroup attacks,
    it says:

    A protocol designer can protect against this type of attack for
    any curve by specifying n=hs.

Here, h is the cofactor, n is the secret key, and I think that s is
something secret.

For secret key with MSB=1, its obvious that it's against timing
attack.  Since it's so obvious, I don't have good reference.  Here is
an explanation I found in Q&A site:

    When using Curve25519, why does the private key always have a fixed bit at 2^254?


(As I said yesterday, this can be applied to computation with other

Yes, the practice of secret key is a tweak against such attacks.

More information about the Gcrypt-devel mailing list