That will STILL not solve the underlying problem and errors will occasionally occur. (It's x-h that matters)
(Also it wouldn't be that simple, as most likely also verify would have to be changed...)
I think that it
does solve the problem and verify()
does not need to be changed.
You are right, that it probably wouldn't require changes in verify, but in such case...
I was thinking about it for a while, and tell me, HOW exactly would you like to alter
x value?
a)
values passed to Curve25519.sign and Curve25519.verify are in PACKED form ok, that one, doesn't have much meaning...
b) x still needs to be valid priv key and Y it's corresponding public key (I call this pair "session key", as it's generated based on message and secret key)
c) you need to
make sure that (x-h) will NOT be "negative" in the meaning defined by 'xmath':
Note that there isn't actually such a thing as positive or negative in
a finite field, but you should just pick some definition. My favorite
is to define elements with the least significant bit set (when fully
reduced) to be negative, and non-zero elements with the least
significant bit clear (when fully reduced) to be positive. This makes
sure that if x is positive then -x (= p-x) is negative and vice versa.
- xmath
PS, you know, that thanks to this change, we could most likely get rid of that stupid loop inside Transaction.sign...