On Tue, Dec 22, 2015 at 1:36 PM, Brian Smith <br...@briansmith.org> wrote: > First, maybe I'm overlooking something obvious, but I'm not seeing it: Why > are we concerned only with whether the high bit has been set, instead of > whether the public value has been reduced mod q (q == 2^255-19)? Aren't > there ~19 interesting values that don't have the high bit set but which are > also relevant to this issue?
You're correct, but I'm trying to say that the CFRG document defines a function that operates on bytestrings so that higher-level protocols don't have to worry about things like this. I think TLS should handle the byte strings opaquely so that we have uniform behaviour for X25519/X448 and only a single place where it needs to be tested. The behaviour of X25519/X448 for non-reduced values is also specified in the CFRG document. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls