Join Log in
Score:1
shotex avatar Crypto

Is it safe to implement elliptic curve Diffie Hellman with secp256k1

cn flag
shotex

I need to implement X3DH Key Agreement Protocol according to Signal specification, in the document they suggest using either X25519 or X448 curves. I assume those curves have been chosen for this protocol for a reason. In the codebase elliptic curve public key cryptosystem has already been implemented with secp256k1. Would it be safe to generate the keys needed for this protocol using the existing implementation?

101
0 + 0
Score:0
Freddy Maldonado Pereyra avatar Crypto
cn flag
Freddy Maldonado Pereyra

Although mathematically Koblitz curves are a few bits weaker than random curves, in a context of elliptic curve cryptography of 256+ bits, those differences are innocuous, I would say, it's safe.

X25519 curves are fast, but not as secure as P-256, I think you are in a good track,

Best regards

0 + 0
knaccc avatar
es flag
knaccc
https://safecurves.cr.yp.to/index.html would disagree that P-256 is a better choice.
0
Reply
Freddy Maldonado Pereyra avatar
cn flag
Freddy Maldonado Pereyra
In first instance maybe is "ok" to check safecurves.cr, but yet, we need Cryptographic analysis to determine security, based on algorithm breaks or mathematical theory, Curve25519 is faster, not safer than P-256, X25519 is just DH with Curve25519, excellent choice for experimental purposes, bad choice if people just look up at safeCurves.cr and play the NIST conspiracy game. https://security.stackexchange.com/questions/50878/ecdsa-vs-ecdh-vs-ed25519-vs-curve25519 https://en.wikipedia.org/wiki/Curve25519 https://cr.yp.to/ecdh.html https://www.intechopen.com/chapters/68653
0
Reply
knaccc avatar
es flag
knaccc
I can see how the argument can be made that P-256 is as secure as Curve25519. Please could you substantiate your claim that Curve25519 is not as secure as P-256 .
0
Reply
Freddy Maldonado Pereyra avatar
cn flag
Freddy Maldonado Pereyra
Curve25519 is secure, not widely supported as P-256 although that could change because is getting very popular, for now, I always stick to the most-tested-used curves to determine security if we deal with financial industry, that's why I prefer P-256, aside from controversial claims of intentional backdoors.
0
Reply
kelalaka avatar
in flag
kelalaka
P-256 is popular since it is in the NIST list. NIST suggests 25519 for ECDSA with Edwards25519.
0
Reply
poncho avatar
my flag
poncho
@kelalaka: the prime subgroup in P-256 is about $2^{256}$, which leads to about '128 bit security' against discrete log attacks. The prime subgroup in Curve25519 is about $2^{252}$, which leads to about '126 bit security' against discrete log attacks. 128 > 126...
0
Reply
poncho avatar
my flag
poncho
@knaccc: oops; my last comment (about why Curve25519 is slightly weaker than P-256) was supposed to be addressed to you
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.