2^255 - 19, describes the finite field over which the elliptic curve is defined.
The "keyspace" in the sense of valid public keys is really defined by the order of the curves generator, G, which in this case is approximately 2^252 ish. Due to the curve having a co-factor of 8.
So when generating a private key, is any 256 bit random sequence good (it gets reduced down to the 252 bits available) or do you have to check you didn't pick one of the 2^4 keys that aren't valid? (Actually, is 2^4 even the right number? Seems awfully low, and hence I guess, unlikely)
This article [0] has a good explanation of why clamping is necessary. But the process is very simple, you just generate 32 random bytes, clear the three least significant bits to avoid small-subgroup attacks, then clear the most significant bit and set the second most significant to avoid side-channel attacks which may occur if an implementation isn’t constant-time. The Libsodium source shows this pretty clearly: [1], lines 18-23.
I'm not sure clamping has anything to do with constant-time and side-channel attacks.
In very rough terms, not accounting for the cofactor means that there are several related unexpected points for any given Curve25519 key. In theory, these points would allow you to conduct an invalid curve point attack; in practice, you have so few of these points that you leak only a couple bits of key information, unlike with the non-25519-vintage curves, where invalid curve points can leak the entire key over a series of probes. So, for DH systems, people sometimes shrug off clamping.
For Ed25519 and signing systems in general, it's a much bigger deal, because it implies that there are multiple possible validating signatures for a set of inputs, which breaks protocol assumptions.
Hm, with regard to timing attacks, I’m not talking about clearing the cofactor, but rather setting the most significant bit to zero & the second most significant to one. My understanding is that this is to defend against an insecure implementation of the scalar multiplication operation which takes a varying length of time depending on which bit is the first non-zero one, thereby revealing information about the key. The linked article supports this (I believe), but I’m always happy to be corrected about these kinds of things :)
I think it is simpler, the algorithm used repeated doubling to find the point on the elliptic curve, so by setting the highest bit to one it ensured that the operation is done to a fixed number of times no matter the input
Theoretically, when you generate a Curve25519 key, you're meant to "clamp" it, which premultiplies the key by the cofactor. In practice, you can get away with just taking any random 32-byte string. Clamping (and its practical importance) is a whole big discussion among Curve25519-heads.
All Thai constitutions have had strong privacy requirements, but that has never been important for what actually happens.
It's really not clear what compliance will be like. If it's anything like most things here then it'll only be if the government gets annoyed that a company will be in any danger of prosecution.
SOCKS is very easy to implement. You could probably knock this together in pretty much any language in little more than the time it takes you to read the SOCKS docs and how to set up the server side TLS connection.
> they forgot that it's about telling the computer to do something, as clearly as possible
Or alternatively, it's to explain to the next reader of the code, as clearly as possible, how the problem was solved (in such a way that it can also be executed by the computer).
> Some people think that a day is one revolution of Earth's axis, and not exactly 86400 seconds
One day is more than one revolution of the planet. The sidereal day is exactly one rotation of the planet, but that's about four minutes shorter than a civil day.
The reason is that the planet also moves around the sun, so in order to get the sun to the same position in the sky for noon the planet needs to turn a little bit more than 360 degrees, about 360/365 extra.
This is likely the major reason why China has not yet blocked the major cloud providers. As soon as they allow ESNI/domain fronting, all bets are off as to what China will block.
They explicitly started doing this after Telegram used domain fronting to work around Russian censorship, which caused large chunks of AWS and GCP addresses to be blocked in Russia.
I get my X1 Extreme on Sunday -- had to order through a friend in the UK because the price in Thailand is nearly 2 times the UK one and in any case nobody has one.
Been a big fan of the thinkpads for 20 years. All of them very solid machines that just last and last, and never had a problem with running Linux on them
