You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Section 5.1.3: it would be nice to include a reference or citation for
unknown key share attacks.
Section 5.2: is there a reason to put the word "amortize" in quotes?
Section 7.1.2: it might be worth mentioning here that [keyagreement] also
includes checking that the public key is not the identity point.
Section 7.1.2: is there a reason to recommend either checking for a nonzero
scalar or checking for a non-identity DH output? Checking the latter covers
the former and also covers the check from my prior comment. Moreover, it is
not clear to me that checking the scalar is useful for the recipient, since
this is essentially just checking that their long-term secret is nonzero.
Section 8.1: the sentence "In particular, the KDFs and DH groups..." might
want to clarify that this statement is true only when these primitives are
used as specified. The concern is that HKDF is only indifferentiable under
some restrictions on salt length (for reasons noted in Section 8.3).
The text was updated successfully, but these errors were encountered:
The text was updated successfully, but these errors were encountered: