[noise] Curve25519 key bitmask?

Watson Ladd watsonbladd at gmail.com
Sun Jul 13 10:43:21 PDT 2014

The mysecret[31]|=64 is to place the high bit in a known position to
make some addition algorithms easier.
The mysecret[0] &=248 clears the low 3 bits of the secret to eliminate
the possibility of small-subgroup confinement attacks: only zero will

Watson Ladd

On Sun, Jul 13, 2014 at 10:39 AM, Jonathan Rudenberg
<jonathan at titanous.com> wrote:
> The Curve25519 documentation[0] says that we should do these bitwise ops while computing the secret key:
>      mysecret[0] &= 248;
>      mysecret[31] &= 127;
>      mysecret[31] |= 64;
> It’s not immediately apparent what the reason for this is and if it has any negative/positive impact. Would someone explain it to me?
> Thanks,
> Jonathan
> [0] http://cr.yp.to/ecdh.html
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the Noise mailing list