Handling of all-zero public keys
Closed this issue · 0 comments
tarcieri commented
X25519 has a degenerate case where the Montgomery-u coordinate is zero: the resulting point is always zero, regardless of the scalar:
[1] pry(main)> degenerate_key = X25519::MontgomeryU.new("\0" * X25519::KEY_SIZE)
=> #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000>
[2] pry(main)> X25519::Scalar.generate.multiply(degenerate_key)
=> #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000>
How to handle this is a bit contentious depending on which cryptographer you ask, but checking for this case and raising an exception might be a good idea.