[curves] X25519 and zero outputs
Brian Smith
brian at briansmith.org
Mon May 1 23:21:24 PDT 2017
Trevor Perrin <trevp at trevp.net> wrote:
> The main problem in this area is confusion around DH validation and DH
> semantics. To improve this we should focus on clear and simple
> advice, safe protocols and frameworks, and education about safe
> protocol design. X25519's simple interface is a major step in this
> direction.
Here's my suggestion for simple advice:
1. Like you suggest, one shouldn't design protocols that require the
zero check, so the protocol can be safely implemented using a library
that doesn't do it.
2. Also, one shouldn't design protocols that are incompatible with the
zero check, so that your protocols can be implemented using a library
that does do it.
Now maybe there are some (potentially) important protocol where the
zero check really gets in the way for some reason, and there's no
reasonable way to work around it. If so, it would be good to see a
concrete example.
Cheers,
Brian
More information about the Curves
mailing list