Yawning Angel transcribed 2.2K bytes: > On Fri, 6 May 2016 19:17:11 +0000 > isis <isis@xxxxxxxxxxxxxx> wrote: > > Both parties check that none of the EXP() operations produced the > > point at infinity. [NOTE: This is an adequate replacement for > > checking Y for group membership, if the group is Curve25519.] > > > > [XXX: This doesn't sound exactly right. You need the scalar > > tweaking of X25519 for this to work and also, the point at infinity > > is obviously an element of the group --isis, peter] > > Maybe reword this to specify that EXP() MUST include the check for all > zero output as specified in RFC 7748. It's what our current ntor > implementation does here. Thanks, good suggestion. I've added it here: https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=bcf8c60a And removed the odd description w.r.t. "the Curve25519 group" here: https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=d04f771f FWIW, the original "Both parties check that none of the EXP() [â] group is Curve25519" sentence comes directly from the original NTor specification in proposal #216, so we might consider making this change there: https://gitweb.torproject.org/torspec.git/tree/proposals/216-ntor-handshake.txt#n99 -- ââ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev