On Fri, 6 May 2016 19:17:11 +0000 isis <i...@torproject.org> wrote: > Both parties check that none of the EXP() operations produced the > point at infinity. [NOTE: This is an adequate replacement for > checking Y for group membership, if the group is Curve25519.] > > [XXX: This doesn't sound exactly right. You need the scalar > tweaking of X25519 for this to work and also, the point at infinity > is obviously an element of the group --isis, peter]
Maybe reword this to specify that EXP() MUST include the check for all zero output as specified in RFC 7748. It's what our current ntor implementation does here. Regards, -- Yawning Angel
pgplgD63yqxD3.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev