On Mon, 2016-04-25 at 21:43 +0200, Niels Möller wrote:
Hi,
I wouldn't expect any problems from this, its a corner case with input values which are arguably invalid.
The motivation in the RFC, as I understand it, is to leave open for protocols to use the top bit for their own, without bothering to clear it before invoking curve25519. Which at first seems a bit silly, but there's some value in not leaving corner cases implementation defined, and it would maybe have been even more silly to require that implementations do wraparound of that improper high bit.
This change would also need some updates of testcases and documentation.
It would make sense to document the version of nettle after which this behavior is followed, and probably add some ifdef similarly to FIPS202 for sha3.
regards, Nikos