Re: Curve25519/448 key agreement for SSH

To: Simon Josefsson <simon%josefsson.org@localhost>
Subject: Re: Curve25519/448 key agreement for SSH
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Fri, 13 Nov 2015 06:25:00 +0100

Simon Josefsson <simon%josefsson.org@localhost> writes:

> A simple approach would be to say that if the MSB is 1, prepend a zero
> byte.  However, the length difference would leak that information.

Note that it's also possible to use some slightly different mapping than
for mpints. Like it's been done in the dsa signature blob since ages;
there the integers are always coded as 20-byte values, no sign bit, and
no normalization if some value happens to get a zero high byte. 

I'm not sure I like that departure from mpint, but I'd like to point out
that it's a possibilty and it's been done before.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

References:
- RE: Curve25519/448 key agreement for SSH
  - From: denis bider
- Re: Curve25519/448 key agreement for SSH
  - From: Simon Josefsson

Prev by Date: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Date: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
Previous by Thread: Re: Curve25519/448 key agreement for SSH
Next by Thread: Re: Curve25519/448 key agreement for SSH
Indexes:

Home | Main Index | Thread Index | Old Index