@BRIAN_____ related question: how to check point on curve in X25519, when one only has the x-coordinate?
In *ring* we only do X25519 for one-time-use ephemeral keys and we hand-wave that one-time-use makes it unnecessary to do the point-on-the-curve check. (If you are checking your own scalar mult then you could use an algorithm other than the x-only Montgomery ladder, of course.)
-
-
That's fine. Let's assume that you want to implement ECIES and, cough cough, JWE =)
-
I would have to spend non-trivial amount of time to answer that. Especially it would be interesting to see if the X25519 "all x are on the curve or on the twist" property could be extended to be useful for ECIES, of which I don't have all the details in my head.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.