On Fri, 6 May 2016 19:17:11 +0000 isis <isis@xxxxxxxxxxxxxx> wrote: > Both parties check that none of the EXP() operations produced the > point at infinity. [NOTE: This is an adequate replacement for > checking Y for group membership, if the group is Curve25519.] > > [XXX: This doesn't sound exactly right. You need the scalar > tweaking of X25519 for this to work and also, the point at infinity > is obviously an element of the group --isis, peter] Maybe reword this to specify that EXP() MUST include the check for all zero output as specified in RFC 7748. It's what our current ntor implementation does here. Regards, -- Yawning Angel
Attachment:
pgpHrD_MIJ_Fn.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev