I'm always a bit torn about stuff like this. On the one hand, CRT is cool and it's even cooler that people have made successful attacks on real world systems using these so-called 'twist attacks' (basically the fuck up is to not check is the "point" you're provided, is actually on the curve).
https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
But, on the other hand, calling it a danger when using secp256k1 for encryption seems a bit wrong when the danger is specifically that you *didn't* use secp256k1!
Indeed the substance of this attack is to exploit the fact that if a curve group has small subgroups, you can apply CRT to get info about secret keys. But secp256k1 doesn't have *any* subgroups. So the attack depends on the victim not checking if an externally given public key, is actually on secp256k1. Combining that key in a DH type exchange leads to naughtiness.
https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
But, on the other hand, calling it a danger when using secp256k1 for encryption seems a bit wrong when the danger is specifically that you *didn't* use secp256k1!
Indeed the substance of this attack is to exploit the fact that if a curve group has small subgroups, you can apply CRT to get info about secret keys. But secp256k1 doesn't have *any* subgroups. So the attack depends on the victim not checking if an externally given public key, is actually on secp256k1. Combining that key in a DH type exchange leads to naughtiness.
93❤️7🤙4❤️3👍1🤔1
