On Mon, Feb 29, 2016 at 01:46:07PM +0900, NIIBE Yutaka wrote: > although any value of k to Curve25519(k, P) cannot produce O if P != > O (because of the tweak). This line does not sound true to me. If k is the order of the point P (or 0, for that matter?), why would Curve25519(k, P) not output O (or more correctly, the all-0 string)?