Do not clamp the private key before Elligator inverse map.

The Elligator inverse map uses the least significant bits of the private key, which clamping sets to 0, to choose a random low-order point to add to the public key, to ensure uniformity of representatives. The other ways that the private key is used, namely in calls to curve25519.ScalarMult and curve25519.ScalarBaseMult, do their own clamping when necessary and are documented to accept a uniformly random scalar.
2 years ago · 5fcbb0e140
parent 586fbf4375
commit 5fcbb0e140
1 changed files with 0 additions and 3 deletions
--- a/common/ntor/ntor.go
+++ b/common/ntor/ntor.go
@ -273,9 +273,6 @@ func NewKeypair(elligator bool) (*Keypair, error) {
 			return nil, err
 		}
 		digest := sha512.Sum512(priv)
-		digest[0] &= 248
-		digest[31] &= 127
-		digest[31] |= 64
 		copy(priv, digest[:])

 		if elligator {