On 06/04/2014 12:57 AM, Trevor Perrin wrote: > Do people agree that masking is the best practice?
I agree. I only see one reason (modulo compatibility) to keep the current behavior: certain implementations of the arithmetic might expect inputs in the range [0, 2^255-18], in which case masking the high bit still needs to be followed by a reduction. I don't think this is a strong enough reason not to mask it. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
