doc: Add a changelog entry and clarified a comment (NFC)

2 years ago · ef832041b7
parent 5fcbb0e140
commit ef832041b7
2 changed files with 6 additions and 0 deletions
--- a/2
+++ b/2
@ -1,4 +1,6 @@
 Changes in version 0.0.14 - UNRELEASED:
+ - Fixed the incompete previous fix to the Elligator 2 subgroup issue (Thanks
+   to David Fifield).

 Changes in version 0.0.13 - 2022-02-04:
 - Stop using utls entirely for TLS signature normalization (meek_lite).
--- a/internal/x25519ell2/x25519ell2.go
+++ b/internal/x25519ell2/x25519ell2.go
@ -144,6 +144,10 @@ func uToRepresentative(representative *[32]byte, u *field.Element, tweak byte) b
 // Note that this function will fail and return false for about
 // half of private keys.
 //
+// The `privateKey` input MUST be the full 32-bytes of entropy
+// (X25519-style "clamping" will result in non-uniformly distributed
+// representatives).
+//
 // WARNING: The underlying scalar multiply explicitly does not clear
 // the cofactor, and thus the public keys will be different from
 // those produced by normal implementations.