[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope



On Fri, 6 May 2016 19:17:11 +0000
isis <isis@xxxxxxxxxxxxxx> wrote:
>   Both parties check that none of the EXP() operations produced the
> point at infinity. [NOTE: This is an adequate replacement for
> checking Y for group membership, if the group is Curve25519.]
> 
>   [XXX: This doesn't sound exactly right. You need the scalar
> tweaking of X25519 for this to work and also, the point at infinity
> is obviously an element of the group --isis, peter]

Maybe reword this to specify that EXP() MUST include the check for all
zero output as specified in RFC 7748.  It's what our current ntor
implementation does here.

Regards,

-- 
Yawning Angel

Attachment: pgpHrD_MIJ_Fn.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev