Representations of secret keys on Curve25519ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?Point addition in NaCl/libsodium (Curve25519)Public Key Encryption using ECDHE and AES-GCMHow can I split a packed Ed25519 public signing key into its X and Y coordinates?How to convert from curve25519 33 byte to 32 byte representationmbed tls DTLS v1.2 system with -ECDHE-ECDSA, mutual auth and pre-installed public/private keys, no unnecessary messages or ASN.1/X.509 decodingDoes AES-GCM without security tag turn into regular CTR Mode?What is the difference between a sealed box and a normal box in libsodium?Curve25519 Key Exchange Bit SecurityIs the curve25519 algorithm a special(implementation) one of ECDH?
A scene of Jimmy diversity
Do I need a 50/60Hz notch filter for battery powered devices?
Foldable, multipart helicopter blades
Can a dragon's breath weapon pass through Leomund's Tiny Hut?
More output neurons than labels?
What are the arguments for California’s nonpartisan blanket (jungle) primaries?
Kepler space telescope planets detection
What "fuel more powerful than anything the West (had) in stock" put Laika in orbit aboard Sputnik 2?
Sending a photo of my bank account card to the future employer
Why should I cook the flour first when making bechamel sauce?
Should I be able to keep my company purchased standing desk when I leave my job?
Get back to US from Canada without passport
If I stood next to a piece of metal heated to a million degrees, but in a perfect vacuum, would I feel hot?
Is it OK to use personal email ID for faculty job applications or should we use (current) institute's ID
Can you perfectly wrap a cube with this blocky shape?
Finding the package which provides a given command
Why do so many pure math PhD students drop out or leave academia, compared to applied mathematics PhDs?
Alternator dying so junk car?
Returning strings showing all vertices from all polygons in shapefile using ArcPy?
How to determine the optimal threshold to achieve the highest accuracy
Representations of secret keys on Curve25519
Credit card details stolen every 1-2 years. What am I doing wrong?
Is there an English equivalent for "Les carottes sont cuites", while keeping the vegetable reference?
Sankhara meditation
Representations of secret keys on Curve25519
ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?Point addition in NaCl/libsodium (Curve25519)Public Key Encryption using ECDHE and AES-GCMHow can I split a packed Ed25519 public signing key into its X and Y coordinates?How to convert from curve25519 33 byte to 32 byte representationmbed tls DTLS v1.2 system with -ECDHE-ECDSA, mutual auth and pre-installed public/private keys, no unnecessary messages or ASN.1/X.509 decodingDoes AES-GCM without security tag turn into regular CTR Mode?What is the difference between a sealed box and a normal box in libsodium?Curve25519 Key Exchange Bit SecurityIs the curve25519 algorithm a special(implementation) one of ECDH?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium x25519
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
$endgroup$
add a comment |
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium x25519
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
$endgroup$
add a comment |
$begingroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium x25519
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
$endgroup$
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06#appendix-A.2 gives the following as a secret key / public key combo:
S_a = 0x6A2CB91DA5FB77B12A99C0EB872F4CDF
4566B25172C1163C7DA518730A6D0770
P_a = 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
https://tools.ietf.org/html/rfc7748#section-6.1 gives another secret key / public key combo:
Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a
Note how the public key is the same for both but the secret key is not.
sodium_crypto_box
_publickey_from_secretkey seems to concur with the RFC but not the IETF Draft:
https://3v4l.org/i61aE
My question is... what is the RFC doing that the draft is not?
I ask because I have an implementation that is giving me the correct public key from the secret key in the IETF Draft and I'm wanting to make it so that I can use that same implementation to get the public key from the secret key in the IETF RFC. But, more than that, I'm just curious.
Thanks!
elliptic-curves diffie-hellman libsodium x25519
elliptic-curves diffie-hellman libsodium x25519
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
edited 14 mins ago
Gilles
8,7303 gold badges28 silver badges58 bronze badges
8,7303 gold badges28 silver badges58 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
asked 9 hours ago
neubertneubert
1,43015 silver badges29 bronze badges
1,43015 silver badges29 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71983%2frepresentations-of-secret-keys-on-curve25519%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
add a comment |
$begingroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
$endgroup$
I'm pretty sure this is an endianness issue. Specifically, taking the S_a value from the Josefsson draft and reversing the order of the bytes (i.e. pairs of hex digits) in it gives:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
which is almost the same as the value of a given in RFC 7748 § 6.1. In fact, XORing the values shows that they differ at only four bits:
70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a
⊕ 77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a
------------------------------------------------------------------
= 0700000000000000000000000000000000000000000000000000000000000040
The remaining difference seems to come down to canonicalization; in particular, RFC 7748 § 5 says (emphasis mine):
For X25519, in order to decode 32 random bytes as an integer scalar, set the three least significant bits of the first byte and the most significant bit of the last to zero, set the second most significant bit of the last byte to 1 and, finally, decode as little-endian.
The S_a value given in the Josefsson draft appears to have this canonicalization correctly pre-applied (after accounting for the byte reversal, that is), whereas the a value in RFC 7748 § 6.1 has the three least significant bits of the first byte set to one, and second most significant bit of the last byte set to zero.
Alternatively, one could simply interpret this as a from RFC 7748 § 6.1 being the raw input sequence of 32 random bytes (written as 32 pairs of hex digits concatenated together), whereas S_a from the Josefsson draft is the corresponding 256-bit number (written as a hexadecimal integer literal) obtained after those random bytes have been canonicalized as described above and decoded in little-endian order.
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
answered 7 hours ago
Ilmari KaronenIlmari Karonen
37.4k3 gold badges78 silver badges147 bronze badges
37.4k3 gold badges78 silver badges147 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71983%2frepresentations-of-secret-keys-on-curve25519%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown