[curves] curve25519 public keys with high bit set

Samuel Neves sneves at dei.uc.pt
Tue Jun 3 18:30:40 PDT 2014

On 06/04/2014 12:57 AM, Trevor Perrin wrote:
> Do people agree that masking is the best practice?

I agree. I only see one reason (modulo compatibility) to keep the current behavior: certain implementations of the
arithmetic might expect inputs in the range [0, 2^255-18], in which case masking the high bit still needs to be followed
by a reduction. I don't think this is a strong enough reason not to mask it.

More information about the Curves mailing list