different secret keys yield the same public key?ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?Public Key Encryption using ECDHE and AES-GCMHow can I split a packed Ed25519 public signing key into its X and Y coordinates?How to convert from curve25519 33 byte to 32 byte representationmbed tls DTLS v1.2 system with -ECDHE-ECDSA, mutual auth and pre-installed public/private keys, no unnecessary messages or ASN.1/X.509 decodingDoes AES-GCM without security tag turn into regular CTR Mode?How to prove that two EC public keys created with two different generators share the same secret key?What is the difference between a sealed box and a normal box in libsodium?Can I do a forward secure half-round ephemeral-static ECDH?Is the curve25519 algorithm a special(implementation) one of ECDH?
Is straight-up writing someone's opinions telling?
How to ask my office to remove the pride decorations without appearing anti-LGBTQ?
Cauchy reals and Dedekind reals satisfy "the same mathematical theorems"
Fantasy Story About A Boy And Girl That Enter A Fantasy World Pre-1994
Do aircraft cabins have suspension?
Why doesn't philosophy have higher standards for its arguments?
What is the word for "event executor"?
Index Uniqueness Overhead
(Piano) is the purpose of sheet music to be played along to? Or a guide for learning and reference during playing?
Did 007 exist before James Bond?
Can you perfectly wrap a cube with this blocky shape?
What is the goal and toolset of philosophy?
Is it rude to refer to janitors as 'floor people'?
Why are road bikes (not time trial bikes) used in many triathlons?
Will a contempt of congress lawsuit actually reach the merits?
different secret keys yield the same public key?
Adjusting vertical spacing in fractions?
How Can I Process Untrusted Data Sources Securely?
Why do candidates not quit if they no longer have a realistic chance to win in the 2020 US presidents election
Why do so many pure math PhD students drop out or leave academia, compared to applied mathematics PhDs?
More output neurons than labels?
Why don't commercial aircraft adopt a slightly more seaplane-like design to allow safer ditching in case of emergency?
Sankhara meditation
Why is my calculation for added length of coax for a double cross antenna different to everyone else's?
different secret keys yield the same public key?
ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?Public Key Encryption using ECDHE and AES-GCMHow can I split a packed Ed25519 public signing key into its X and Y coordinates?How to convert from curve25519 33 byte to 32 byte representationmbed tls DTLS v1.2 system with -ECDHE-ECDSA, mutual auth and pre-installed public/private keys, no unnecessary messages or ASN.1/X.509 decodingDoes AES-GCM without security tag turn into regular CTR Mode?How to prove that two EC public keys created with two different generators share the same secret key?What is the difference between a sealed box and a normal box in libsodium?Can I do a forward secure half-round ephemeral-static ECDH?Is the curve25519 algorithm a special(implementation) one of ECDH?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
$endgroup$
add a comment |
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
$endgroup$
add a comment |
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
$endgroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium
elliptic-curves diffie-hellman libsodium
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
asked 8 hours ago
neubertneubert
1,42515 silver badges29 bronze badges
1,42515 silver badges29 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71983%2fdifferent-secret-keys-yield-the-same-public-key%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
37.4k3 gold badges78 silver badges147 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71983%2fdifferent-secret-keys-yield-the-same-public-key%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
