Closed tarcieri closed 6 years ago
X25519 has a degenerate case where the Montgomery-u coordinate is zero: the resulting point is always zero, regardless of the scalar:
[1] pry(main)> degenerate_key = X25519::MontgomeryU.new("\0" * X25519::KEY_SIZE) => #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000> [2] pry(main)> X25519::Scalar.generate.multiply(degenerate_key) => #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000>
How to handle this is a bit contentious depending on which cryptographer you ask, but checking for this case and raising an exception might be a good idea.
X25519 has a degenerate case where the Montgomery-u coordinate is zero: the resulting point is always zero, regardless of the scalar:
How to handle this is a bit contentious depending on which cryptographer you ask, but checking for this case and raising an exception might be a good idea.