Hi On Jan 31, 2017, at 11:32 AM, Antonio Sanso <asa...@adobe.com> wrote:
> Thanks a lot guys, > > I have tried the sage formula from Mike and worked like a charm. > I got less luck with the approach from Trevor (but hey, is for sure my fault). > Of course even if I was able to calculate an equivalent public key there is > no chance I can retrieve the associate > private key (of course this would be like breaking DH, right?). > > Said that, last silly question on the topic is: > > in which situation not checking for the “right” public key can be a problem? Well it seems that “time" gave the answer :) https://nickler.ninja/blog/2017/05/23/exploiting-low-order-generators-in-one-time-ring-signatures/ regards antonio > Trevor mentioned already one situation, but I fail to see without the > knowledge > of the associated private key, where this could be an harm…. > > Thanks a lot and regards > > antonio > > On Jan 30, 2017, at 11:02 PM, Trevor Perrin <tr...@trevp.net> wrote: > >> On Mon, Jan 30, 2017 at 1:48 PM, Mike Hamburg <m...@shiftleft.org> wrote: >>> >>> On Jan 30, 2017, at 12:41 PM, Antonio Sanso <asa...@adobe.com> wrote: >>> >>> On Nov 7, 2016, at 12:51 AM, Trevor Perrin <tr...@trevp.net> wrote: >>> >>> However, cofactor>1 can still have subtle and unexpected effects, e.g. >>> see security considerations about "equivalent" public keys in RFC >>> 7748, which is relevant to the cofactor multiplication "cV" in >>> VXEdDSA, or including DH public keys into "AD" in Signal's (recently >>> published) X3DH [3]. >>> >>> >>> may you shed some more light about this? >>> What is the algorithm to find and “equivalent” public key? >> [...] >>> >>> Second, two x’s are equivalent if they differ by a c-torsion point. This is >>> because the X25519 Diffie-Hellman key exchange algorithm is computing >>> c*secret*P, which is the same as c*secret*(P+T) for points T such that c*T >>> is the identity. Another way to describe these equivalent keys is that >>> they’re the x-coordinates of points Q such that c*Q = c*P. >> >> I'll describe the same thing, but maybe this is simpler wording: >> >> For X25519, just add a point of low order (i.e. order=2, 4, or 8) onto >> an X25519 public key. Because X25519 private keys are multiples of >> the cofactor (8), the added point won't change DH results. >> >> I.e. for public key A, some private key b, and low-order point L: >> >> b(A+L) = bA + bL = bA >> >> >> Trevor > _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
