Comment by pseudohadamard
8 hours ago
Did you also check all of the libraries that implement the check differently to libsodium? That's one problem with the near-universal cargo-culting of ref10, it never did any of the checking so everyone has to reinvent it themselves in different ways. It might be useful to have a single known-good check for both x25519 and ed25519 that people could integrate into their own ref10-derived code.
For people not familiar with the size of the mess we're in here, see https://hdevalence.ca/blog/2020-10-04-its-25519am/. There was another study published before then which found that no two implementations used the same checks, and none of them were compliant with RFC 8032, the alleged standard for Ed25519.
> Did you also check all of the libraries that implement the check differently to libsodium?
Yes, but it was a breadth-first search sourced from the ianix webpage, so I certainly missed some details somewhere. I'll continue to search over the coming weeks in my spare time (if I can get any).