6 May
2016
6 May
'16
7:54 p.m.
On Fri, 6 May 2016 19:17:11 +0000 isis isis@torproject.org wrote:
Both parties check that none of the EXP() operations produced the point at infinity. [NOTE: This is an adequate replacement for checking Y for group membership, if the group is Curve25519.]
[XXX: This doesn't sound exactly right. You need the scalar tweaking of X25519 for this to work and also, the point at infinity is obviously an element of the group --isis, peter]
Maybe reword this to specify that EXP() MUST include the check for all zero output as specified in RFC 7748. It's what our current ntor implementation does here.
Regards,
--
Yawning Angel