[tptacek]

I'm not sure clamping has anything to do with constant-time and side-channel attacks.

In very rough terms, not accounting for the cofactor means that there are several related unexpected points for any given Curve25519 key. In theory, these points would allow you to conduct an invalid curve point attack; in practice, you have so few of these points that you leak only a couple bits of key information, unlike with the non-25519-vintage curves, where invalid curve points can leak the entire key over a series of probes. So, for DH systems, people sometimes shrug off clamping.

For Ed25519 and signing systems in general, it's a much bigger deal, because it implies that there are multiple possible validating signatures for a set of inputs, which breaks protocol assumptions.

[opheliate]

Hm, with regard to timing attacks, I’m not talking about clearing the cofactor, but rather setting the most significant bit to zero & the second most significant to one. My understanding is that this is to defend against an insecure implementation of the scalar multiplication operation which takes a varying length of time depending on which bit is the first non-zero one, thereby revealing information about the key. The linked article supports this (I believe), but I’m always happy to be corrected about these kinds of things :)

[charlieyu1]

I think it is simpler, the algorithm used repeated doubling to find the point on the elliptic curve, so by setting the highest bit to one it ensured that the operation is done to a fixed number of times no matter the input

[tptacek]

Nope, you're probably right!

[john_alan]

You’re correct!