ed25519 attacks

FooBar

6/3/23, 5:23 PM

I try to understand invalid curve attack and small subgroup attack. The lower 3 bits of a ed25519 private key are cleared to be a multiple by 8.

So an attacker is unable to gain any information using a public key of a smaller subgroup or on a invalid curve.

Does this mean a check that a public key is on the curve before a ECDH is unneccessary?

242

0 + 0

diffie-hellman

ed25519

kelalaka

6/3/23, 6:13 PM

Duplicate of [Why are the lower 3 bits of curve25519/ed25519 secret keys cleared during creation?](https://crypto.stackexchange.com/q/12425/18298)

kelalaka

6/3/23, 6:25 PM

And another one; [libsodium x25519 and Ed25519 small order check](https://crypto.stackexchange.com/a/55643/18298)

kelalaka

6/3/23, 8:11 PM

Note that [Ed25519 is the recommended Edwards-coordinate signature system.](https://crypto.stackexchange.com/a/84435/18298) not used for DHKE it is x25519 if we are talking about DHKE then we have this one too [Curve25519 Key Validation](https://crypto.stackexchange.com/a/87711/18298)

Score:3

Crypto

Daniel S

6/3/23, 5:48 PM

You should still check as there are invalid curve attacks that give information other than the low bits of the key.

For example, the invalid curve attack of Neves and Tabouchi (Degenerate curve attacks: extending invalid curve attacks to Edwards curves and other models) uses the invalid point $(0,y)$ with $y\neq 1\pmod p$. If we use the Edwards formula to compute a scalar multiple by $k$ of this invalid point we get the answer $(0,y^k\mod p)$. If we choose $y$ to be primitive root modulo $p$ and have access to this answer, we can find $k$ by solving a multiplicative discrete logarithm modulo $p$ (which for a special prime of 255-bits is highly feasible on even moderate computational resources).

0 + 0

FooBar

6/3/23, 6:46 PM

ok that means there are even more possibilities that are not covered by that, thank you for your anser. I will take a deeper look at that.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ed25519 attacks

TH: ed25519 การโจมตี

RO: ed25519 atacuri

RU: ed25519 атаки

VI: tấn công ed25519

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.