Security Researchers Flag Insecure Key Derivation Pattern in Three-Party Communication Protocol

A security researcher has raised concerns over the use of `scalarmult` output directly as a shared cryptographic key in a three-party communication scheme, warning that this approach contradicts established best practices documented in the official libsodium documentation.

The issue centers on a implementation that derives a shared secret key directly from the result of scalar multiplication between elliptic curve points. According to the libsodium documentation, this practice carries significant risk. The docs explicitly warn: "using the output of the multiplication q directly as a shared key is not recommended." The primary concern is that multiple (p, n) point pairs can produce identical results, enabling what researchers describe as "subtle attacks" that could compromise key integrity without obvious signs of intrusion.

The recommended alternative, which would require redesigning the existing scheme, involves computing a hashed value combining the scalar multiplication result with both parties' public keys: h(q ‖ pk1 ‖ pk2). This approach significantly increases the computational complexity required to exploit potential collision vulnerabilities and prevents attackers from manipulating point selection to trigger predictable outcomes.

The researcher acknowledged the three-party communication design shows promise but emphasized that the current cryptographic implementation undermines the entire security model. The impact of this vulnerability remains under evaluation, though the libsodium documentation suggests any scheme relying on direct scalar multiplication output for key material faces exposure to subtle cryptographic attacks that may not be immediately detectable.