Can multiple public keys lead to the same shared secret in X25519?How should I check the received ephemeral Diffie-Hellman public keys?ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?When is public-key crypto used / when is symmetric crypto used?How to anonymously transfer ownership where sender cannot resendThe strength of ECDH public keys with small orderECDH for more than two partiesIs using different public keys for different peers safer than reusing the public key, beyond forward secrecy?

How to handle a colleague who appears helpful in front of manager but doesn't help in private?

Car imitates dead battery but comes back to life ~30 minutes later and lets me start it

Can the Protection fighting style be used in this way?

My PhD defense is next week and I am having negative thoughts about my work and knowledge. Any advice on how to tackle this?

Are there any dishes that can only be cooked with a microwave?

How can I improve combat so my players don't always use the strategy of collectively focusing fire on one enemy at a time until it's dead?

How to spot dust in images quickly while doing a shoot outdoors?

Which of these will work? HDMI to VGA or HDMI to USB?

How is a series resistor limiting the voltage for a diode?

Is there a preferred time in their presidency when US presidents pardon the most people?

Engine sync for jet engines; vs prop sync to eliminate beats

How can I find out where to buy uncommon (for the location) items while traveling?

Why do we use the particular magnitude of a force to calculate work?

Euclidean Distance Between Two Matrices

Can the treble clef be used instead of the bass clef in piano music?

Twelve Labours #08 - Dark Horse Bookmakers

SSH host identification changes on one wireless network

Steampunk book about a bounty hunter teen girl in London

Isn't any conversation with the US president quid-pro-quo?

Running code in a different tmux pane

Linking the intuition of topology with its axiomatic definition

When climbing certain terrains that require an Athletics check, do you need to make the check again every turn?

How to delete a game file?

How to explain to traditional people why they should upgrade their old Windows XP device?



Can multiple public keys lead to the same shared secret in X25519?


How should I check the received ephemeral Diffie-Hellman public keys?ECC - ElGamal with Montgomery or Edwards type curves (curve25519, ed25519) - possible?When is public-key crypto used / when is symmetric crypto used?How to anonymously transfer ownership where sender cannot resendThe strength of ECDH public keys with small orderECDH for more than two partiesIs using different public keys for different peers safer than reusing the public key, beyond forward secrecy?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








5















$begingroup$


I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




Designers using these curves should be aware that for each public key,
there are several publicly computable public keys that are equivalent
to it, i.e., they produce the same shared secrets. Thus using a
public key as an identifier and knowledge of a shared secret as proof
of ownership (without including the public keys in the key derivation)
might lead to subtle vulnerabilities




Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?






elliptic-curves diffie-hellman rfc7748







share|improve this question











$endgroup$





















    5















    $begingroup$


    I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




    Designers using these curves should be aware that for each public key,
    there are several publicly computable public keys that are equivalent
    to it, i.e., they produce the same shared secrets. Thus using a
    public key as an identifier and knowledge of a shared secret as proof
    of ownership (without including the public keys in the key derivation)
    might lead to subtle vulnerabilities




    Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



    Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?






    elliptic-curves diffie-hellman rfc7748







    share|improve this question











    $endgroup$

















      5













      5









      5





      $begingroup$


      I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




      Designers using these curves should be aware that for each public key,
      there are several publicly computable public keys that are equivalent
      to it, i.e., they produce the same shared secrets. Thus using a
      public key as an identifier and knowledge of a shared secret as proof
      of ownership (without including the public keys in the key derivation)
      might lead to subtle vulnerabilities




      Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



      Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?






      elliptic-curves diffie-hellman rfc7748







      share|improve this question











      $endgroup$




      I have no mathematical knowledge about this, but I just read in RFC 7748 the following:




      Designers using these curves should be aware that for each public key,
      there are several publicly computable public keys that are equivalent
      to it, i.e., they produce the same shared secrets. Thus using a
      public key as an identifier and knowledge of a shared secret as proof
      of ownership (without including the public keys in the key derivation)
      might lead to subtle vulnerabilities




      Does that mean that multiple Curve25519 public keys can produce the same shared key produced by X25519? I just don't understand.



      Does this mean that key servers (let's say that such key servers even verify the ownership of these public key using sending an encrypted challenge to the claimant) using Curve25519 are not a good idea?






      elliptic-curves diffie-hellman rfc7748




      elliptic-curves diffie-hellman rfc7748






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 23 at 8:18









      kelalaka

      13.2k4 gold badges34 silver badges61 bronze badges




      13.2k4 gold badges34 silver badges61 bronze badges










      asked Sep 7 at 20:51









      yuziyuzi

      532 bronze badges




      532 bronze badges























          1 Answer
          1






          active

          oldest

          votes


















          10

















          $begingroup$

          There are two independent sources of equivalent public keys for the X25519 function.



          The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.



          The second source of equivalence is a bit more specific.
          In a nutshell, the X25519(k,u) function is defined as follows:



          • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


            In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

          • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

          • Return the $x$-coordinate of $[k']$P.

          Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
          $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
          and therefore (using the distributive law)
          $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



          For a concrete example, the two public keys



          629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
          b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


          will, for every secret key, give identical shared secrets using X25519.






          share|improve this answer










          $endgroup$
















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );














            draft saved

            draft discarded
















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73138%2fcan-multiple-public-keys-lead-to-the-same-shared-secret-in-x25519%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown


























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            10

















            $begingroup$

            There are two independent sources of equivalent public keys for the X25519 function.



            The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.



            The second source of equivalence is a bit more specific.
            In a nutshell, the X25519(k,u) function is defined as follows:



            • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


              In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

            • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

            • Return the $x$-coordinate of $[k']$P.

            Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
            $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
            and therefore (using the distributive law)
            $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



            For a concrete example, the two public keys



            629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
            b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


            will, for every secret key, give identical shared secrets using X25519.






            share|improve this answer










            $endgroup$



















              10

















              $begingroup$

              There are two independent sources of equivalent public keys for the X25519 function.



              The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.



              The second source of equivalence is a bit more specific.
              In a nutshell, the X25519(k,u) function is defined as follows:



              • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

              • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

              • Return the $x$-coordinate of $[k']$P.

              Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
              $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
              and therefore (using the distributive law)
              $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



              For a concrete example, the two public keys



              629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
              b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


              will, for every secret key, give identical shared secrets using X25519.






              share|improve this answer










              $endgroup$

















                10















                10











                10







                $begingroup$

                There are two independent sources of equivalent public keys for the X25519 function.



                The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.



                The second source of equivalence is a bit more specific.
                In a nutshell, the X25519(k,u) function is defined as follows:



                • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                  In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

                • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

                • Return the $x$-coordinate of $[k']$P.

                Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
                $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
                and therefore (using the distributive law)
                $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



                For a concrete example, the two public keys



                629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
                b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


                will, for every secret key, give identical shared secrets using X25519.






                share|improve this answer










                $endgroup$



                There are two independent sources of equivalent public keys for the X25519 function.



                The first is rather simple: A public key is an integer u between $0$ and $2^255-1$ that represents an element of the finite field $mathrmGF(2^255-19)$. Hence, for all $iin0,dots,18$, the integer $2^255-19+i$ represents the same field element as the integer $i$.



                The second source of equivalence is a bit more specific.
                In a nutshell, the X25519(k,u) function is defined as follows:



                • Clamp the secret key k, forcing bits $0,1,2,255$ to zero and bit $254$ to one.


                  In particular, note that this means the clamped scalar $k'$ is a multiple of $8$.

                • Compute the scalar product $[k']P$, where $P$ is a Curve25519 point with $x$‑coordinate u.

                • Return the $x$-coordinate of $[k']$P.

                Now Curve25519 has cofactor $8$, hence there exist nonzero points $Q$ of order dividing $8$. For any such point, the public key $P+Q$ is equivalent to the public key $P$: Since $k'$ is a multiple of $8$, we have
                $$ [k']Q = [k'/8][8]Q = [k'/8]infty = infty $$
                and therefore (using the distributive law)
                $$ [k'](P+Q) = [k']P + [k']Q = [k']P+infty = [k']P text. $$



                For a concrete example, the two public keys



                629fb7d4a50e0339edfdfae1464fedb848dd35f25c5fecd3d3f5af61654a691d
                b53677c430779b050cd6db7e1f4ca6735e07b30a61711f45a88e710790af772a


                will, for every secret key, give identical shared secrets using X25519.







                share|improve this answer













                share|improve this answer




                share|improve this answer










                answered Sep 7 at 22:02









                yyyyyyyyyyyyyy

                10.2k3 gold badges36 silver badges55 bronze badges




                10.2k3 gold badges36 silver badges55 bronze badges































                    draft saved

                    draft discarded















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73138%2fcan-multiple-public-keys-lead-to-the-same-shared-secret-in-x25519%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown









                    -

                    Popular posts from this blog

                    Tamil (spriik) Luke uk diar | Nawigatjuun

                    Image
                    Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
                    Read more

                    Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

                    Image
                    Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
                    Read more

                    Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?

                    Image
                    Extremely casual way to make requests to very close friends Why are Gatwick's runways too close together? AsyncDictionary - Can you break thread safety? Different inverter (logic gate) symbols Y2K... in 2019? Withdrew when Jimmy met up with Heath Christian apologetics regarding the killing of innocent children during the Genesis flood How does 'AND' distribute over 'OR' (Set Theory)? Ex-contractor published company source code and secrets online how to differentiate when a child lwc component is called twice in parent component? Infeasibility in mathematical optimization models How is this kind of structure made? Plausibility of Ice Eaters in the Arctic Tikzpicture - finish drawing a curved line for a cake slice Why is transplanting a specific intact brain impossible if it is generally possible? How to create all combinations from a nested list while preserving the structure using R? What should I call bands of armed men in Medieval T
                    Read more