[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)
NIIBE Yutaka
gniibe at fsij.org
Sat Jul 25 05:08:24 CEST 2015
On 07/24/2015 11:46 PM, Werner Koch wrote:
> What about
>
> le-tweak
>
> because it is a tweak in the little endian representation. Yeah, I know
> that it sounds like "let weak" ;-)
>
> Or
>
> le-twist
> le-highbit
> le-msb
> twistle
I feel that "twist" is a bit confusing, because we also use the term
"twist" for curves. tweak would be better.
I think that it's not specific to little endian. Last year, when I
tested Curve25519, the key (secret and public) was in big endian
format.
For cofactor multiplied secret key, I refer the site:
SafeCurves: choosing safe curves for elliptic-curve cryptography
Twist security
http://safecurves.cr.yp.to/twist.html
In the section: Background: small-subgroup attacks,
it says:
A protocol designer can protect against this type of attack for
any curve by specifying n=hs.
Here, h is the cofactor, n is the secret key, and I think that s is
something secret.
For secret key with MSB=1, its obvious that it's against timing
attack. Since it's so obvious, I don't have good reference. Here is
an explanation I found in Q&A site:
When using Curve25519, why does the private key always have a fixed bit at 2^254?
crypto.stackexchange.com/questions/11810/when-using-curve25519-why-does-the-private-key-always-have-a-fixed-bit-at-2254
(As I said yesterday, this can be applied to computation with other
curves.)
Yes, the practice of secret key is a tweak against such attacks.
--
More information about the Gcrypt-devel
mailing list