On Tue, Mar 10, 2015 at 11:47 PM, Niels Möller nisse@lysator.liu.se wrote:
- curve25519_mul should be changed to have a void return type (an earlier implementation failed for inputs which didn't correspond to points on the curve, but instead were points on its twist). But the current implementation, using the Montgomery ladder, doesn't care and computes a well defined result for all inputs.
No idea about this, do you think that a future re-implementation could need an error code?
I've done this change now. In the documentation, I now say that the output is undefined for inputs on the twist curve. Which I think is fine for diffie-hellman: if you don't trust your partner to do his/her part of the diffie-hellman exchange correctly (and authenticate the messages you receive), you can't expect the generated session key to be secure or useful, no matter how curve25519_mul computes the shared secret.
I only follow in the high level, but wouldn't it be better for this function to be allowed fail if there are cases could fail? Even if the current version doesn't, a future version could detect a broken peer (but not malicious) and that is better than just ignoring it.
regards, Nikos