[cryptography] A question about public keys

Michael Rogers michael at briarproject.org
Thu Oct 3 12:06:08 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/10/13 16:45, Trevor Perrin wrote:
> Suppose you are a good guy with a static curve25519 key, and a bad
> guy is sending you 32-byte strings, claiming them to be ephemeral
> curve25519 public keys for use in an ephemeral-static
> Diffie-Hellman.
> 
> You repeatedly perform your side of the ephemeral-static DH.  I.e.,
> you perform a curve25519 operation betweeen the bad guy's alleged
> ephemeral public key and your private key.  After each DH, you give
> the bad guy, say, some MAC based on the Diffie-Hellman result.
> 
> At issue is whether this is safe without checking that the bad
> guy's strings correspond to possible public keys.
> 
> And it is, with curve25519!

Thanks! I think I finally understand what it means to say that all
32-byte values are allowed as public keys but not all are valid public
keys. Sorry for taking so many round-trips. :-)

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSTZXwAAoJEBEET9GfxSfMUQ4H/R+89hfxD8Wy8wjPt8Bj7gsx
rLLquJlvVqlvWqAGXzZcW/zkiqqb8nR5fCU+J5d8dAdB9M1J6AAJC10sDMoj+5/z
vIQMBIO+9W28bhaQbb3cWLsaG+tI4Uo/rkZrEPVkBvELXq33fBNjFd4VZFcNUX63
0ZZQwYZ08JzoDtOAIKLHjHq3xEkwi2a5TDGwQMy2p5KUmSf1kIRdyQIMMGoGmKua
KWtnfbeledr65+iqFIYyZlntMeMxSrgIJ0CRnjk09sqbkkjz8Pzau4/JEcuLBYhd
uJb7y73L2OdKjzWVdYWjLhThKDPnVOf3FVX6CHP121YxBa7zmEYxhhOmpBNOPqc=
=PH7z
-----END PGP SIGNATURE-----


More information about the cryptography mailing list