No matter which way is chosen, it's important to get the IETF TLS specification for Curve25519 to match what's chosen and to include test-vectors for it.
Personally I prefer ignoring the bit. My effort to change LibSodium/Donna was to ensure that all major implementations have the same behaviour. If we can get all major implementations, including NaCl to ignore the bit I'd be happy to follow that path. On a related note, DJB's implementations in SUPERCOP recently changed from interpreting it as a 256 bit integer to ignoring the top bit. But I don't know if NaCl will follow. Somebody should talk with its authors. Note that you can put a sign into MSB, even with 256 bit integer interpretation, it's just a bit annoying. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
