Yawning Angel transcribed 2.2K bytes:
> On Fri, 6 May 2016 19:17:11 +0000
> isis <i...@torproject.org> wrote:
> >   Both parties check that none of the EXP() operations produced the
> > point at infinity. [NOTE: This is an adequate replacement for
> > checking Y for group membership, if the group is Curve25519.]
> > 
> >   [XXX: This doesn't sound exactly right. You need the scalar
> > tweaking of X25519 for this to work and also, the point at infinity
> > is obviously an element of the group --isis, peter]
> Maybe reword this to specify that EXP() MUST include the check for all
> zero output as specified in RFC 7748.  It's what our current ntor
> implementation does here.

Thanks, good suggestion.  I've added it here:

And removed the odd description w.r.t. "the Curve25519 group" here:

FWIW, the original "Both parties check that none of the EXP() […] group is
Curve25519" sentence comes directly from the original NTor specification in
proposal #216, so we might consider making this change there:

 ♥Ⓐ isis agora lovecruft
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt

Attachment: signature.asc
Description: Digital signature

tor-dev mailing list

Reply via email to