[Cryptography] [FORGED] Re: Why is ECC secure?

CodesInChaos codesinchaos at gmail.com
Mon Jun 1 14:54:16 EDT 2015


> Show me one real-world example of a Montgomery ladder-based ECC system leaking a private key because of a usage mistake.

One of DJB's 64 bit asm implementations of Curve25519/Ed25519
contained a carry bug. I'm pretty sure that this bug allows key
recovery when using a long term DH key.

As far as I can tell, nobody actually used this implementation. But it
shows that even with a nice Montgomery curve you can get a hard to
detect bug that allows key recovery.


More information about the cryptography mailing list