8 May
2016
8 May
'16
8:55 p.m.
On Sun, 2016-05-08 at 13:15 +0000, isis wrote:
Also, deriving `a` "somehow" from the shared X25519 secret is a bit scary (c.f. the §3 "Backdoors" part of the NewHope paper,
Oh wow. That one is nasty.
or Yawning's PoC of a backdoored NewHope handshake [0]).
[0]: https://git.schwanenlied.me/yawning/newhope/src/nobus/newhope_nobus.go
I see. The point is that being ambiguous about the security requirements of the seed for a lets you sneak in a bad usage of it elsewhere. In some cases, I suppose both sides contributing to a might help them know the other side is not backdoored, but that's not so relevant for Tor. Jeff