From 5fcbb0e14064d41e4fa43013e1f0ede4028f25c5 Mon Sep 17 00:00:00 2001
From: David Fifield <david@bamsoftware.com>
Date: Fri, 2 Sep 2022 11:58:48 -0400
Subject: [PATCH] Do not clamp the private key before Elligator inverse map.

The Elligator inverse map uses the least significant bits of the private
key, which clamping sets to 0, to choose a random low-order point to add
to the public key, to ensure uniformity of representatives.

The other ways that the private key is used, namely in calls to
curve25519.ScalarMult and curve25519.ScalarBaseMult, do their own
clamping when necessary and are documented to accept a uniformly random
scalar.
---
 common/ntor/ntor.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/common/ntor/ntor.go b/common/ntor/ntor.go
index af24b68..17a9ff7 100644
--- a/common/ntor/ntor.go
+++ b/common/ntor/ntor.go
@@ -273,9 +273,6 @@ func NewKeypair(elligator bool) (*Keypair, error) {
 			return nil, err
 		}
 		digest := sha512.Sum512(priv)
-		digest[0] &= 248
-		digest[31] &= 127
-		digest[31] |= 64
 		copy(priv, digest[:])
 
 		if elligator {