Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

An important point to note, that is not very obvious from the text, is that it is (very, very) difficult to retrieve ka from A=ka.P and kb from B=kb.P. For an attacker who has A and B, it's close to impossible to recover P and ka.kb.P


Isn't P always the same? Or is it shared before the exchange?

Edit: just looked it up and the base point for curve25519 is x=9 so no point in recovering it.


In modern curves P is set in stone head of time.

In the early days of EC you were able to pick a custom base point, and then it was found that this could leak information in various ways. It’s not allowed in modern curves or implementations.


Sorry, I wrote that comment too quickly. It is close to impossible to recover ka, kb and ka.kb.P, even given A=ka.P, B=kb.P and P.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: