Issue in `ECDH(a, B)` with check calculating shared secret?
cobratbq opened this issue · comments
I'm in conversation with Bouncy Castle devs. He noticed something in the section on generating shared secrets.
ECDH(a, B)
K_ecdh = a * B
if K_ecdh == 0 (check that it is an all-zero value)
return error
else
return K_ecdh
He is wondering if if K_ecdh == 0
is a remnant of the Montgomery-based logic, where 0
is the neutral element as Montgomery u-coordinate
. Given that we work with Edwards representation, should this be a comparison to (0, 1)
(neutral element)? (or its corresponding binary encoding)
Hey!
Given that we work with Edwards representation, should this be a comparison to (0, 1) (neutral element)?
We are already checking for that:
Check that X is not equal to the identity element (I).
where the Identity element is:
Identity element (I)
(x=0,
y=1)
The reason why we check is because: Shared keys are created by contributory behaviour. Contributory behaviour means that both parties' private keys contribute to the resulting shared key. Since curve448 has a cofactor of 4, an input point of small order will eliminate any contribution from the other party's private key.