Can multiple public keys lead to the same shared secret in X25519?How should I check the received ephemeral Diffie-Hellman public keys?ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?When is public-key crypto used / when is symmetric crypto used?How to anonymously transfer ownership where sender cannot resendThe strength of ECDH public keys with small orderECDH for more than two partiesIs using different public keys for different peers safer than reusing the public key, beyond forward secrecy?

How to handle a colleague who appears helpful in front of manager but doesn't help in private?

Car imitates dead battery but comes back to life ~30 minutes later and lets me start it

Can the Protection fighting style be used in this way?

My PhD defense is next week and I am having negative thoughts about my work and knowledge. Any advice on how to tackle this?

Are there any dishes that can only be cooked with a microwave?

How can I improve combat so my players don't always use the strategy of collectively focusing fire on one enemy at a time until it's dead?

How to spot dust in images quickly while doing a shoot outdoors?

Which of these will work? HDMI to VGA or HDMI to USB?

How is a series resistor limiting the voltage for a diode?

Is there a preferred time in their presidency when US presidents pardon the most people?

Engine sync for jet engines; vs prop sync to eliminate beats

How can I find out where to buy uncommon (for the location) items while traveling?

Why do we use the particular magnitude of a force to calculate work?

Euclidean Distance Between Two Matrices

Can the treble clef be used instead of the bass clef in piano music?

Twelve Labours #08 - Dark Horse Bookmakers

SSH host identification changes on one wireless network

Steampunk book about a bounty hunter teen girl in London

Isn't any conversation with the US president quid-pro-quo?

Running code in a different tmux pane

Linking the intuition of topology with its axiomatic definition

When climbing certain terrains that require an Athletics check, do you need to make the check again every turn?

How to delete a game file?

How to explain to traditional people why they should upgrade their old Windows XP device?



Can multiple public keys lead to the same shared secret in X25519?


How should I check the received ephemeral Diffie-Hellman public keys?ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?When is public-key crypto used / when is symmetric crypto used?How to anonymously transfer ownership where sender cannot resendThe strength of ECDH public keys with small orderECDH for more than two partiesIs using different public keys for different peers safer than reusing the public key, beyond forward secrecy?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








5















$begingroup$


I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




Designers using these curves should be aware that for each public key,
there are several publicly computable public keys that are equivalent
to it, i.e., they produce the same shared secrets. Thus using a
public key as an identifier and knowledge of a shared secret as proof
of ownership (without including the public keys in the key derivation)
might lead to subtle vulnerabilities




Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?










share|improve this question











$endgroup$





















    5















    $begingroup$


    I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




    Designers using these curves should be aware that for each public key,
    there are several publicly computable public keys that are equivalent
    to it, i.e., they produce the same shared secrets. Thus using a
    public key as an identifier and knowledge of a shared secret as proof
    of ownership (without including the public keys in the key derivation)
    might lead to subtle vulnerabilities




    Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



    Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?










    share|improve this question











    $endgroup$

















      5













      5









      5





      $begingroup$


      I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




      Designers using these curves should be aware that for each public key,
      there are several publicly computable public keys that are equivalent
      to it, i.e., they produce the same shared secrets. Thus using a
      public key as an identifier and knowledge of a shared secret as proof
      of ownership (without including the public keys in the key derivation)
      might lead to subtle vulnerabilities




      Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



      Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?










      share|improve this question











      $endgroup$




      I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




      Designers using these curves should be aware that for each public key,
      there are several publicly computable public keys that are equivalent
      to it, i.e., they produce the same shared secrets. Thus using a
      public key as an identifier and knowledge of a shared secret as proof
      of ownership (without including the public keys in the key derivation)
      might lead to subtle vulnerabilities




      Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



      Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?







      elliptic-curves diffie-hellman rfc7748






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 23 at 8:18









      kelalaka

      13.2k4 gold badges34 silver badges61 bronze badges




      13.2k4 gold badges34 silver badges61 bronze badges










      asked Sep 7 at 20:51









      yuziyuzi

      532 bronze badges




      532 bronze badges























          1 Answer
          1






          active

          oldest

          votes


















          10

















          $begingroup$

          There are two independent sources of equivalent public keys for the X25519 function.




          The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.




          The second source of equivalence is a bit more specific.
          In a nutshell, the X25519(k,u) function is defined as follows:



          • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


            In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

          • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

          • Return the $x$-coordinate of $[k']$P.

          Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
          $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
          and therefore (using the distributive law)
          $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



          For a concrete example, the two public keys



          629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
          b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


          will, for every secret key, give identical shared secrets using X25519.






          share|improve this answer










          $endgroup$
















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );














            draft saved

            draft discarded
















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73138%2fcan-multiple-public-keys-lead-to-the-same-shared-secret-in-x25519%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown


























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            10

















            $begingroup$

            There are two independent sources of equivalent public keys for the X25519 function.




            The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.




            The second source of equivalence is a bit more specific.
            In a nutshell, the X25519(k,u) function is defined as follows:



            • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


              In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

            • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

            • Return the $x$-coordinate of $[k']$P.

            Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
            $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
            and therefore (using the distributive law)
            $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



            For a concrete example, the two public keys



            629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
            b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


            will, for every secret key, give identical shared secrets using X25519.






            share|improve this answer










            $endgroup$



















              10

















              $begingroup$

              There are two independent sources of equivalent public keys for the X25519 function.




              The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.




              The second source of equivalence is a bit more specific.
              In a nutshell, the X25519(k,u) function is defined as follows:



              • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

              • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

              • Return the $x$-coordinate of $[k']$P.

              Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
              $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
              and therefore (using the distributive law)
              $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



              For a concrete example, the two public keys



              629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
              b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


              will, for every secret key, give identical shared secrets using X25519.






              share|improve this answer










              $endgroup$

















                10















                10











                10







                $begingroup$

                There are two independent sources of equivalent public keys for the X25519 function.




                The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.




                The second source of equivalence is a bit more specific.
                In a nutshell, the X25519(k,u) function is defined as follows:



                • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                  In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

                • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

                • Return the $x$-coordinate of $[k']$P.

                Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
                $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
                and therefore (using the distributive law)
                $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



                For a concrete example, the two public keys



                629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
                b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


                will, for every secret key, give identical shared secrets using X25519.






                share|improve this answer










                $endgroup$



                There are two independent sources of equivalent public keys for the X25519 function.




                The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.




                The second source of equivalence is a bit more specific.
                In a nutshell, the X25519(k,u) function is defined as follows:



                • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                  In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

                • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

                • Return the $x$-coordinate of $[k']$P.

                Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
                $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
                and therefore (using the distributive law)
                $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



                For a concrete example, the two public keys



                629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
                b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


                will, for every secret key, give identical shared secrets using X25519.







                share|improve this answer













                share|improve this answer




                share|improve this answer










                answered Sep 7 at 22:02









                yyyyyyyyyyyyyy

                10.2k3 gold badges36 silver badges55 bronze badges




                10.2k3 gold badges36 silver badges55 bronze badges































                    draft saved

                    draft discarded















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73138%2fcan-multiple-public-keys-lead-to-the-same-shared-secret-in-x25519%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown









                    Popular posts from this blog

                    Tamil (spriik) Luke uk diar | Nawigatjuun

                    Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

                    Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?