8 May
2016
8 May
'16
8:55 p.m.
On Sun, 2016-05-08 at 13:15 +0000, isis wrote:
Also, deriving `a` "somehow" from the shared X25519 secret is a bit scary (c.f. the §3 "Backdoors" part of the NewHope paper,
Oh wow. That one is nasty.
or Yawning's PoC of a backdoored NewHope handshake [0]).
I see. The point is that being ambiguous about the security requirements of the seed for a lets you sneak in a bad usage of it elsewhere.
In some cases, I suppose both sides contributing to a might help them know the other side is not backdoored, but that's not so relevant for Tor.
Jeff