I'm always a bit torn about stuff like this. On the one hand, CRT is cool and it's even cooler that people have made successful attacks on real world systems using these so-called 'twist attacks' (bas...
(continuing on this topic, at possibly absurd length):
The most interesting thing about this write up is that it's principally advocating for using curve25519 (see the 3rd recommendation at the end of the post) for ECDH and thus encryption, based on the idea that it's been designed to handle tricky adversarial behaviour. For example, the curve is designed to make constant-time implementation easier to limit/remove sidechannel attacks. And one thing in particular it has, which is quite special, is: *any* 32 byte string is an acceptable pubkey; this is done with some clever math magic in the curve's design definition. DJB (the author) therefore actually tells people to *not* validate input keys; as long as they're 32 bytes, they're to be accepted.
The most interesting thing about this write up is that it's principally advocating for using curve25519 (see the 3rd recommendation at the end of the post) for ECDH and thus encryption, based on the idea that it's been designed to handle tricky adversarial behaviour. For example, the curve is designed to make constant-time implementation easier to limit/remove sidechannel attacks. And one thing in particular it has, which is quite special, is: *any* 32 byte string is an acceptable pubkey; this is done with some clever math magic in the curve's design definition. DJB (the author) therefore actually tells people to *not* validate input keys; as long as they're 32 bytes, they're to be accepted.
3