Distinguishing x25519 public keys from random?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
20
down vote

favorite
2












I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection.



I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one unused bit that libraries typically fix as 0. For the purposes of this question, I'd like to leave this out and focus on the 255 used bits.



Alice generates a random private key K, and 255-bit public key K'. She generates R, a 255-bit random string. She flips a fair coin, and if heads, she sends a message M = K'. Otherwise, she sends M = R.



Eve receives this message and does not know K. She must guess whether M = K'. Can she do this with better than the 50% success rate she'd get by guessing? (In other words, can she distinguish the significant bits of a x25519 public key from random?)



edit: in response to a question, Eve has knowledge of the curve parameters.




distinguisher x25519




share|improve this question






















  • You can use the elligator2 encoding to avoid this
    – CodesInChaos♦
    Aug 27 at 19:33














up vote
20
down vote

favorite
2












I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection.



I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one unused bit that libraries typically fix as 0. For the purposes of this question, I'd like to leave this out and focus on the 255 used bits.



Alice generates a random private key K, and 255-bit public key K'. She generates R, a 255-bit random string. She flips a fair coin, and if heads, she sends a message M = K'. Otherwise, she sends M = R.



Eve receives this message and does not know K. She must guess whether M = K'. Can she do this with better than the 50% success rate she'd get by guessing? (In other words, can she distinguish the significant bits of a x25519 public key from random?)



edit: in response to a question, Eve has knowledge of the curve parameters.




distinguisher x25519




share|improve this question






















  • You can use the elligator2 encoding to avoid this
    – CodesInChaos♦
    Aug 27 at 19:33












up vote
20
down vote

favorite
2









up vote
20
down vote

favorite
2






2





I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection.



I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one unused bit that libraries typically fix as 0. For the purposes of this question, I'd like to leave this out and focus on the 255 used bits.



Alice generates a random private key K, and 255-bit public key K'. She generates R, a 255-bit random string. She flips a fair coin, and if heads, she sends a message M = K'. Otherwise, she sends M = R.



Eve receives this message and does not know K. She must guess whether M = K'. Can she do this with better than the 50% success rate she'd get by guessing? (In other words, can she distinguish the significant bits of a x25519 public key from random?)



edit: in response to a question, Eve has knowledge of the curve parameters.




distinguisher x25519




share|improve this question














I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection.



I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one unused bit that libraries typically fix as 0. For the purposes of this question, I'd like to leave this out and focus on the 255 used bits.



Alice generates a random private key K, and 255-bit public key K'. She generates R, a 255-bit random string. She flips a fair coin, and if heads, she sends a message M = K'. Otherwise, she sends M = R.



Eve receives this message and does not know K. She must guess whether M = K'. Can she do this with better than the 50% success rate she'd get by guessing? (In other words, can she distinguish the significant bits of a x25519 public key from random?)



edit: in response to a question, Eve has knowledge of the curve parameters.





distinguisher x25519





share|improve this question













share|improve this question




share|improve this question








edited Aug 26 at 19:01

























asked Aug 26 at 16:52









Jonas

422110




422110











  • You can use the elligator2 encoding to avoid this
    – CodesInChaos♦
    Aug 27 at 19:33
















  • You can use the elligator2 encoding to avoid this
    – CodesInChaos♦
    Aug 27 at 19:33















You can use the elligator2 encoding to avoid this
– CodesInChaos♦
Aug 27 at 19:33




You can use the elligator2 encoding to avoid this
– CodesInChaos♦
Aug 27 at 19:33










1 Answer
1






active

oldest

votes

















up vote
21
down vote



accepted










A valid point of an elliptic curve in Weierstrass form satisfies the equation
$$
y^2 = x^3 + ax + b,.
$$
We can rewrite this as $y = pm sqrtx^3 + ax + b$, which has either 2 solutions when $x^3 + ax + b$ is a square, 1 solution when $x^3 + ax + b = 0$, or 0 solutions when $x^3 + ax + b$ is not a square.



In X25519, we only see the $x$ coordinate, but we can still make use of the above. The curve equation is
$$
y^2 = x^3 + 486662x^2 + x bmod 2^255-19,,
$$
from which we have that given a valid public key $x$, $x^3 + 486662x^2 + x$ must have a square root modulo $2^255-19$. On the other hand, a random string will be a square only around $1/2$ of the time. By inspecting $n$ candidate public keys, we can improve our certainty to $1 - 1/2^n$.






share|improve this answer
















  • 1




    The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
    – CodesInChaos♦
    Aug 27 at 19:35










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61777%2fdistinguishing-x25519-public-keys-from-random%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
21
down vote



accepted










A valid point of an elliptic curve in Weierstrass form satisfies the equation
$$
y^2 = x^3 + ax + b,.
$$
We can rewrite this as $y = pm sqrtx^3 + ax + b$, which has either 2 solutions when $x^3 + ax + b$ is a square, 1 solution when $x^3 + ax + b = 0$, or 0 solutions when $x^3 + ax + b$ is not a square.



In X25519, we only see the $x$ coordinate, but we can still make use of the above. The curve equation is
$$
y^2 = x^3 + 486662x^2 + x bmod 2^255-19,,
$$
from which we have that given a valid public key $x$, $x^3 + 486662x^2 + x$ must have a square root modulo $2^255-19$. On the other hand, a random string will be a square only around $1/2$ of the time. By inspecting $n$ candidate public keys, we can improve our certainty to $1 - 1/2^n$.






share|improve this answer
















  • 1




    The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
    – CodesInChaos♦
    Aug 27 at 19:35














up vote
21
down vote



accepted










A valid point of an elliptic curve in Weierstrass form satisfies the equation
$$
y^2 = x^3 + ax + b,.
$$
We can rewrite this as $y = pm sqrtx^3 + ax + b$, which has either 2 solutions when $x^3 + ax + b$ is a square, 1 solution when $x^3 + ax + b = 0$, or 0 solutions when $x^3 + ax + b$ is not a square.



In X25519, we only see the $x$ coordinate, but we can still make use of the above. The curve equation is
$$
y^2 = x^3 + 486662x^2 + x bmod 2^255-19,,
$$
from which we have that given a valid public key $x$, $x^3 + 486662x^2 + x$ must have a square root modulo $2^255-19$. On the other hand, a random string will be a square only around $1/2$ of the time. By inspecting $n$ candidate public keys, we can improve our certainty to $1 - 1/2^n$.






share|improve this answer
















  • 1




    The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
    – CodesInChaos♦
    Aug 27 at 19:35












up vote
21
down vote



accepted







up vote
21
down vote



accepted






A valid point of an elliptic curve in Weierstrass form satisfies the equation
$$
y^2 = x^3 + ax + b,.
$$
We can rewrite this as $y = pm sqrtx^3 + ax + b$, which has either 2 solutions when $x^3 + ax + b$ is a square, 1 solution when $x^3 + ax + b = 0$, or 0 solutions when $x^3 + ax + b$ is not a square.



In X25519, we only see the $x$ coordinate, but we can still make use of the above. The curve equation is
$$
y^2 = x^3 + 486662x^2 + x bmod 2^255-19,,
$$
from which we have that given a valid public key $x$, $x^3 + 486662x^2 + x$ must have a square root modulo $2^255-19$. On the other hand, a random string will be a square only around $1/2$ of the time. By inspecting $n$ candidate public keys, we can improve our certainty to $1 - 1/2^n$.






share|improve this answer












A valid point of an elliptic curve in Weierstrass form satisfies the equation
$$
y^2 = x^3 + ax + b,.
$$
We can rewrite this as $y = pm sqrtx^3 + ax + b$, which has either 2 solutions when $x^3 + ax + b$ is a square, 1 solution when $x^3 + ax + b = 0$, or 0 solutions when $x^3 + ax + b$ is not a square.



In X25519, we only see the $x$ coordinate, but we can still make use of the above. The curve equation is
$$
y^2 = x^3 + 486662x^2 + x bmod 2^255-19,,
$$
from which we have that given a valid public key $x$, $x^3 + 486662x^2 + x$ must have a square root modulo $2^255-19$. On the other hand, a random string will be a square only around $1/2$ of the time. By inspecting $n$ candidate public keys, we can improve our certainty to $1 - 1/2^n$.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 26 at 21:36









Samuel Neves

7,0972540




7,0972540







  • 1




    The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
    – CodesInChaos♦
    Aug 27 at 19:35












  • 1




    The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
    – CodesInChaos♦
    Aug 27 at 19:35







1




1




The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
– CodesInChaos♦
Aug 27 at 19:35




The projection onto the prime order subgroup should give another 3 bits per attempt, if the standard implementation of curve25519 is used.
– CodesInChaos♦
Aug 27 at 19:35

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61777%2fdistinguishing-x25519-public-keys-from-random%23new-answer', 'question_page');

);

Post as a guest
































































-

這個網誌中的熱門文章

How to combine Bézier curves to a surface?

圖片
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite My aim is to smooth the terrain in a video game. Therefore I contrived an algorithm that makes use of Bézier curves of different orders. But this algorithm is defined in a two dimensional space for now. To shift it into the third dimension I need to somehow combine the Bézier curves. Given two curves in each two dimensions, how can I combine them to build a surface? I thought about something like a curve of a curve. Or maybe I could multiply them somehow. How can I combine them to cause the wanted behavior? Is there a common approach? In the image you can see the input, on the left, and the output, on the right, of the algorithm that works in a two dimensional space. For the real application there is a three dimensional input. The algorithm relays only on the adjacent tiles. Given these it will define the control points of the mentioned Bézier curve. Additionally it marks one side of the curve as inside t
閱讀完整內容

Why am i infinitely getting the same tweet with the Twitter Search API?

圖片
up vote 0 down vote favorite My code workes perfectly for other queries, but for one query I am infinitely getting the same tweet. I can't understand what the problem is. API call: query='Allergic asthma OR Nonallergic asthma OR Occupational asthma OR EIB OR Exercise-induced bronchoconstriction OR Nocturnal asthma OR Cough-variant asthma' new_tweets = api.search(q=searchQuery, count=100, since_id=since_id, lang='en',tweet_mode='extended') if not new_tweets: print("No more tweets found") break for tweet in new_tweets: if True: print(jsonpickle.encode(tweet._json, unpicklable=False)) my_file = open('searchTweets.txt','a') my_file.write(jsonpickle.encode(tweet._json, unpicklable=False)+'n') my_file.close() else: continue Output in file: https://pastebin.com/JmRCsTeE These are the JSONs of the same Tweet. Other queries that work: Breast cancer OR Prostate cancer OR Colon cancer OR Lung cancer Type 2 dia
閱讀完整內容

Carbon dioxide

圖片
"CO2" redirects here. For other uses, see CO2 (disambiguation). Carbon dioxide Names Other names Carbonic acid gas Carbonic anhydride Carbonic oxide Carbon oxide Carbon(IV) oxide Dry ice (solid phase) Identifiers CAS Number 124-38-9   Y 3D model (JSmol) Interactive image Interactive image 3DMet B01131 Beilstein Reference 1900390 ChEBI CHEBI:16526   Y ChEMBL ChEMBL1231871   N ChemSpider 274   Y ECHA InfoCard 100.004.271 EC Number 204-696-9 E number E290 (preservatives) Gmelin Reference 989 KEGG D00004   Y MeSH Carbon+dioxide PubChem CID 280 RTECS number FF6400000 UNII 142M471B3J   Y UN number 1013 (gas), 1845 (solid) InChI InChI=1S/CO2/c2-1-3   Y Key: CURLTUGMZLYLDI-UHFFFAOYSA-N   Y InChI=1/CO2/c2-1-3 Key: CURLTUGMZLYLDI-UHFFFAOYAO SMILES O=C=O C(=O)=O Properties Chemical formula C O 2 Molar mass 44.01 g·mol −1 Appearance Colorless gas Odor Low concentrations: none High concentrations: sharp; acidic [1] Density 1562 kg/m 3 (solid at 1 atm and −78.5 °C) 1101 kg/m 3 (liquid at
閱讀完整內容