[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Yawning Angel
yawning at schwanenlied.me
Fri May 6 19:54:04 UTC 2016
On Fri, 6 May 2016 19:17:11 +0000
isis <isis at torproject.org> wrote:
> Both parties check that none of the EXP() operations produced the
> point at infinity. [NOTE: This is an adequate replacement for
> checking Y for group membership, if the group is Curve25519.]
>
> [XXX: This doesn't sound exactly right. You need the scalar
> tweaking of X25519 for this to work and also, the point at infinity
> is obviously an element of the group --isis, peter]
Maybe reword this to specify that EXP() MUST include the check for all
zero output as specified in RFC 7748. It's what our current ntor
implementation does here.
Regards,
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160506/3812cfad/attachment.sig>
More information about the tor-dev
mailing list