You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For the NIST curves, there are two different methods of using the resulting shared secret.
TLS treats the resulting output as an integer and thus removes all leading zero bytes.
S/MIME treats the resulting output as a byte string and keeps leading zeros.
Both methods are equally secure in terms of the randomness that is included in the following KDF.
Note: This is not an issue for the newly minted CFRG ECDH algorithms. The shared secret is defined to be an octet string and leading bytes would not be removed.
The text was updated successfully, but these errors were encountered:
Input from Ilari tells me that while this is true in TLS for the DH algorithm, this is not true for the ECDH algorithm. This means that we can assume that leading zeros are not going to be removed in any situation. I don't think we need to document this fact.
For the NIST curves, there are two different methods of using the resulting shared secret.
TLS treats the resulting output as an integer and thus removes all leading zero bytes.
S/MIME treats the resulting output as a byte string and keeps leading zeros.
Both methods are equally secure in terms of the randomness that is included in the following KDF.
Note: This is not an issue for the newly minted CFRG ECDH algorithms. The shared secret is defined to be an octet string and leading bytes would not be removed.
The text was updated successfully, but these errors were encountered: