On Sun, 2016-05-08 at 13:15 +0000, isis wrote: > Also, deriving `a` "somehow" from the shared X25519 secret is a bit > scary > (c.f. the Â3 "Backdoors" part of the NewHope paper, Oh wow. That one is nasty. > or Yawning's PoC of a > backdoored NewHope handshake [0]). > > [0]: > https://git.schwanenlied.me/yawning/newhope/src/nobus/newhope_nobus.go I see. The point is that being ambiguous about the security requirements of the seed for a lets you sneak in a bad usage of it elsewhere. In some cases, I suppose both sides contributing to a might help them know the other side is not backdoored, but that's not so relevant for Tor. Jeff
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev