Probably because the definition of X25519 requires that bits 0, 1, and 2 of the first byte of the private key are set to 0 before being used, and OpenSSL counts the number of bits including the highest-order set bit. (Really, there's an additional 2 bits that are also set to known values: bit 6 of the last byte is set, and bit 7 of the last byte is cleared. In my view, this actually reduces the necessary brute-force search space from 256 bits to 251 bits. However, literally any 32-byte string can be used as a public key. Apparently, djb views this as sufficient to call it a 256-bit strength function.)
For the specification, please see the subsection entitled "Responsibilities of the User" in section 3 of https://cr.yp.to/ecdh/curve25519-20060209.pdf . -Kyle H On Mon, Sep 3, 2018, 22:29 M K Saravanan <mksa...@gmail.com> wrote: > Hi, > > When using openssl with X25519, why it shows the server temp key as 253 > bits? > > Example: > > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA > Server Temp Key: X25519, 253 bits > --- > > I thought Curve25519 is using 256 bit keys. > > Why 253 instead of 256? > > with regards, > Saravanan > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users