[cryptography] A question about public keys

Michael Rogers michael at briarproject.org
Thu Oct 3 09:41:30 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 29/09/13 20:24, Nico Williams wrote: > Just because curve25519
accepts every 32-byte value as a public key
> doesn't mean that every 32-byte value is a valid public key (one 
> resulting from applying the curve25519 operation).  The Elligator 
> paper discusses several methods for distinguishing valid public
> keys from random.

On 30/09/13 05:55, Trevor Perrin wrote:
> Phrasing this better: check that x^3 + 486662x^2 + x is a square
> modulo 2^255-19

Thanks Nico and Trevor for your replies. If I understand right, you're
both pointing to the "most severe" distinguisher in section 1.1 of the
Elligator 2 paper.

I'm afraid I still don't understand what it means for curve25519 to
"accept" a string as a public key if that string isn't a valid public
key. Does it just mean that the function has a defined output for that
input, even though that output isn't cryptographically useful?

Silently accepting invalid input and producing useless output seems
like a bug rather than a feature, so I feel like I must still be
misunderstanding the real meaning of "accepts".

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSTXQKAAoJEBEET9GfxSfMIJkH/jmClrIJ6kD3D/h5MMf7cvIp
BVLMmGROGwIFhIrfFZwfqEFGQzBZNpMP06BYJsyPbMRf1uLxFixIYHhSYXCcA+IJ
ZvcLMkMptNVb2xPr9jkdC3tXd47udo23Pxo8pP3uo0i265TMkdNOyY4WwJlrnCGQ
B7FDXeNXRAtNxdbfrFR2hpCd6yyVk+rqDl3AxNCQ01Slf8HmfOKtcZu7WHHwxQFZ
4ECVtlQmdcAaO8JiNdhWzyzbFW7GEEzvCdzYl3hZTqyXfXM+asGFw90K4qXKAoZS
l3S7Q5Pl7tg0KxDL6iHz0XVUMpxH31Mac09DM+dZWT9hp7PEFWiF79XzD0AGi+4=
=qqWu
-----END PGP SIGNATURE-----


More information about the cryptography mailing list