It's more subtle than that and is not actually that simple (though the attack is... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tptacek 8 days ago \| parent \| context \| favorite \| on: Cryptographic Issues in Cloudflare's Circl FourQ I... It's more subtle than that and is not actually that simple (though the attack is). The "modern" curve constructions pioneered by Bernstein are supposed to be misuse-resistant in this regard; Bernstein popularized both Montgomery and Edwards curves. His two major curve implementations are Curve25519 and Ed25519, which are different mathematical representations of the same underlying curve. Curve25519 famously isn't vulnerable to this attack!

edelbitter 8 days ago [–]

Bernstein also published a simple checklist [1] of what people are likely to do wrong if not ruled out by design. Bullet point 2 on that list was:

> Your implementation leaks secret data when the input isn't a curve point.

[1]: https://safecurves.cr.yp.to/

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact