add note about scalar multiplication

[david415]

You could possibly add a note about scalar multiplication, and that which key public or private is implied. In particular the base is always the local private key and the exponent is always the remote public key...

or the spec notation could include indication with public/private key is used with scalar multiplication

[dominictarr]

When I write a*b I take it as given that you use the private key that you have, and the public key from the remote pair, since you do not have the private key to that one anyway.

For the other participant, it's the other way around but has the same result. It could be written as a*b and b*a to indicate which one is local, but it has the same value either way, and I feel it's easier to read if it's just one way. (because that a*b is the same value as b*a is not immediately visually apparent)

Does that sound reasonable?

[david415]

it is reasonable but maybe there should be a bibliographical reference or foot note about the decisional diffie hellman assumption to explain to beginners that this operation produces a shared secret?

[dominictarr]

I confess this is the first I read about the DDH. paraphrasing from wikipedia, the thing is that if you have a_p and b_p and ab you can't efficiently confirm that you have all 3. You must have at least one private key. another way to put this is that you can't tell the difference between {a_p, b_p, ab} and three random numbers (within the same range)

It does seem like there is something that could be clarified about scalarmult operations used