Nostr Web Client

I'm always a bit torn about stuff like this. On the one hand, CRT is cool and it's even cooler that people have made successful attacks on real world systems using these so-called 'twist attacks' (basically the fuck up is to not check is the "point" you're provided, is actually on the curve).

https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md

But, on the other hand, calling it a danger when using secp256k1 for encryption seems a bit wrong when the danger is specifically that you *didn't* use secp256k1!

Indeed the substance of this attack is to exploit the fact that if a curve group has small subgroups, you can apply CRT to get info about secret keys. But secp256k1 doesn't have *any* subgroups. So the attack depends on the victim not checking if an externally given public key, is actually on secp256k1. Combining that key in a DH type exchange leads to naughtiness.

niftynei() 🇺🇸💸🧡 2y ago

ooh. can i fact check myself really fast? im working on my very short intro to elliptic curves for base58, and tell people in the video that the h=1 in the secp paper means exactly this: that there are no “subgroups” for the G group (i think i call them cycles). is that a correct explanation?

Reply to this note

Please Login to reply.

Discussion

niftynei() 🇺🇸💸🧡 2y ago

ok wow this article is shockingly close to what i came up with for the elliptic curve portion of the soon to be released base58 part 2 basics class ❤️ (also confirms my understanding of the subgroups + secp256k1 🙌)

niftynei() 🇺🇸💸🧡 2y ago

loved this detail wrt compressed keys

waxwing 2y ago

Yes indeed. 'Cofactor' is a bit of an obtuse term, i think it's related to the beautiful Lagrange's theorem. Or maybe i only think that because of the term 'coset'. Not sure.