Clarify the point-at-infinity check we actually used.

author: Nick Mathewson <nickm@torproject.org> 2012-12-13 11:45:27 -0500
committer: Nick Mathewson <nickm@torproject.org> 2012-12-13 11:45:27 -0500
commit: feaa2da97b8c3871fe9aa609498fc5f73de8b30d (patch)
tree: c72c15fc885a300921f2b231fc5c93a1da65d051
parent: 102418a56b4961a8a815c6135e06fc3149b5a46c (diff)
download: torspec-feaa2da97b8c3871fe9aa609498fc5f73de8b30d.tar.gz
torspec-feaa2da97b8c3871fe9aa609498fc5f73de8b30d.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/proposals/216-ntor-handshake.txt b/proposals/216-ntor-handshake.txt
index cb36ea1..fe727b1 100644
--- a/proposals/216-ntor-handshake.txt
+++ b/proposals/216-ntor-handshake.txt
@@ -91,8 +91,9 @@ Protocol:
 
     The client verifies that AUTH == H(auth_input, t_mac).
 
-  [NOTE: It may be adequate to check that EXP(Y,x) is not the point at
-  infinity.  See tor-dev thread.]
+  Both parties check that none of the EXP() operations produced the point at
+  infinity. [NOTE: This is an adequate replacement for checking Y for group
+  membership, if the group is curve25519.]
 
   Both parties now have a shared value for KEY_SEED.  They expand this into
   the keys needed for the Tor relay protocol.
author	Nick Mathewson <nickm@torproject.org>	2012-12-13 11:45:27 -0500
committer	Nick Mathewson <nickm@torproject.org>	2012-12-13 11:45:27 -0500
commit	feaa2da97b8c3871fe9aa609498fc5f73de8b30d (patch)
tree	c72c15fc885a300921f2b231fc5c93a1da65d051
parent	102418a56b4961a8a815c6135e06fc3149b5a46c (diff)
download	torspec-feaa2da97b8c3871fe9aa609498fc5f73de8b30d.tar.gz torspec-feaa2da97b8c3871fe9aa609498fc5f73de8b30d.zip