Score:1

Is it safe to implement elliptic curve Diffie Hellman with secp256k1

cn flag

I need to implement X3DH Key Agreement Protocol according to Signal specification, in the document they suggest using either X25519 or X448 curves. I assume those curves have been chosen for this protocol for a reason. In the codebase elliptic curve public key cryptosystem has already been implemented with secp256k1. Would it be safe to generate the keys needed for this protocol using the existing implementation?

Score:0
cn flag

Although mathematically Koblitz curves are a few bits weaker than random curves, in a context of elliptic curve cryptography of 256+ bits, those differences are innocuous, I would say, it's safe.

X25519 curves are fast, but not as secure as P-256, I think you are in a good track,

Best regards

knaccc avatar
es flag
https://safecurves.cr.yp.to/index.html would disagree that P-256 is a better choice.
Freddy Maldonado Pereyra avatar
cn flag
In first instance maybe is "ok" to check safecurves.cr, but yet, we need Cryptographic analysis to determine security, based on algorithm breaks or mathematical theory, Curve25519 is faster, not safer than P-256, X25519 is just DH with Curve25519, excellent choice for experimental purposes, bad choice if people just look up at safeCurves.cr and play the NIST conspiracy game. https://security.stackexchange.com/questions/50878/ecdsa-vs-ecdh-vs-ed25519-vs-curve25519 https://en.wikipedia.org/wiki/Curve25519 https://cr.yp.to/ecdh.html https://www.intechopen.com/chapters/68653
knaccc avatar
es flag
I can see how the argument can be made that P-256 is as secure as Curve25519. Please could you substantiate your claim that Curve25519 is not as secure as P-256 .
Freddy Maldonado Pereyra avatar
cn flag
Curve25519 is secure, not widely supported as P-256 although that could change because is getting very popular, for now, I always stick to the most-tested-used curves to determine security if we deal with financial industry, that's why I prefer P-256, aside from controversial claims of intentional backdoors.
kelalaka avatar
in flag
P-256 is popular since it is in the NIST list. NIST suggests 25519 for ECDSA with Edwards25519.
poncho avatar
my flag
@kelalaka: the prime subgroup in P-256 is about $2^{256}$, which leads to about '128 bit security' against discrete log attacks. The prime subgroup in Curve25519 is about $2^{252}$, which leads to about '126 bit security' against discrete log attacks. 128 > 126...
poncho avatar
my flag
@knaccc: oops; my last comment (about why Curve25519 is slightly weaker than P-256) was supposed to be addressed to you
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.