Yawning Angel transcribed 2.2K bytes:
On Fri, 6 May 2016 19:17:11 +0000 isis isis@torproject.org wrote:
Both parties check that none of the EXP() operations produced the point at infinity. [NOTE: This is an adequate replacement for checking Y for group membership, if the group is Curve25519.]
[XXX: This doesn't sound exactly right. You need the scalar tweaking of X25519 for this to work and also, the point at infinity is obviously an element of the group --isis, peter]
Maybe reword this to specify that EXP() MUST include the check for all zero output as specified in RFC 7748. It's what our current ntor implementation does here.
Thanks, good suggestion. I've added it here: https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&...
And removed the odd description w.r.t. "the Curve25519 group" here: https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&...
FWIW, the original "Both parties check that none of the EXP() […] group is Curve25519" sentence comes directly from the original NTor specification in proposal #216, so we might consider making this change there: https://gitweb.torproject.org/torspec.git/tree/proposals/216-ntor-handshake....