Trevor Perrin <tr...@trevp.net> wrote: > The main problem in this area is confusion around DH validation and DH > semantics. To improve this we should focus on clear and simple > advice, safe protocols and frameworks, and education about safe > protocol design. X25519's simple interface is a major step in this > direction.
Here's my suggestion for simple advice: 1. Like you suggest, one shouldn't design protocols that require the zero check, so the protocol can be safely implemented using a library that doesn't do it. 2. Also, one shouldn't design protocols that are incompatible with the zero check, so that your protocols can be implemented using a library that does do it. Now maybe there are some (potentially) important protocol where the zero check really gets in the way for some reason, and there's no reasonable way to work around it. If so, it would be good to see a concrete example. Cheers, Brian _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves