What you could do is hash the shared secret curve point `S` (preferably using a tagged hash function) into a shared private key `r`, then use the corresponding public key `R = r * G` for the `p` tag. This would not leak the actual shared secret.
Login to reply
Replies (1)
Ah now I get it, you're perfectly right, thank you! Massive issue that i had overlooked and yes, hashing fixes this, I'll add it to my implementation, thank you!