Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
x/crypto/curve25519,x/crypto/ed25519: reject low order points #31846
Rejecting low order points is not strictly necessary, but it helps root out behaviors that can come unexpected to protocol designers (like non-contributory DH, or signature:message:key not being 1:1:1). libsodium already does indiscriminately, and we should too.
This was suggested by Cas Cremers and Dennis Jackson as part of their upcoming work on revisiting small subgroup and invalid curve attacks.