[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)

NIIBE Yutaka gniibe at fsij.org
Sat Jul 25 05:08:24 CEST 2015


On 07/24/2015 11:46 PM, Werner Koch wrote:
> What about
> 
>   le-tweak
> 
> because it is a tweak in the little endian representation.  Yeah, I know
> that it sounds like "let weak" ;-)
> 
> Or
> 
>   le-twist
>   le-highbit
>   le-msb
>   twistle

I feel that "twist" is a bit confusing, because we also use the term
"twist" for curves.  tweak would be better.

I think that it's not specific to little endian.  Last year, when I
tested Curve25519, the key (secret and public) was in big endian
format.


For cofactor multiplied secret key, I refer the site:

    SafeCurves: choosing safe curves for elliptic-curve cryptography
    Twist security
    http://safecurves.cr.yp.to/twist.html

    In the section: Background: small-subgroup attacks,
    it says:

    A protocol designer can protect against this type of attack for
    any curve by specifying n=hs.

Here, h is the cofactor, n is the secret key, and I think that s is
something secret.


For secret key with MSB=1, its obvious that it's against timing
attack.  Since it's so obvious, I don't have good reference.  Here is
an explanation I found in Q&A site:

    When using Curve25519, why does the private key always have a fixed bit at 2^254?

    crypto.stackexchange.com/questions/11810/when-using-curve25519-why-does-the-private-key-always-have-a-fixed-bit-at-2254

(As I said yesterday, this can be applied to computation with other
curves.)


Yes, the practice of secret key is a tweak against such attacks.
-- 



More information about the Gcrypt-devel mailing list