diff options
| -rw-r--r-- | draft-schanzen-gns.xml | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index acc5b55..36c6999 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
| @@ -1168,9 +1168,12 @@ h[31] &= 7 // Implies h mod L == h | |||
| 1168 | zk' := h * zk | 1168 | zk' := h * zk |
| 1169 | ]]></artwork> | 1169 | ]]></artwork> |
| 1170 | <t> | 1170 | <t> |
| 1171 | We note that implementers must employ a constant time scalar | 1171 | We note that implementers SHOULD employ a constant time scalar |
| 1172 | multiplication for the constructions above. Also, implementers | 1172 | multiplication for the constructions above to protect against |
| 1173 | must ensure that the private key a is an ed25519 private key | 1173 | timing attacks. Otherwise, timing attacks may leak private key |
| 1174 | material if an attacker can predict when a system starts the | ||
| 1175 | publication process. Also, implementers | ||
| 1176 | MUST ensure that the private key a is an ed25519 private key | ||
| 1174 | and specifically that "a[0] & 7 == 0" holds. | 1177 | and specifically that "a[0] & 7 == 0" holds. |
| 1175 | </t> | 1178 | </t> |
| 1176 | <t> | 1179 | <t> |