Jake McGinty

@tarcieri the reason I didn't choose this method in the original design is because I wanted the option for people to implement their own crypto backends if snow didn't provide...

Great! Makes sense to do this change now. I'll check it out more once it passes CI. I'm down for re-adding HACL*, I removed it because we had an issue...

Thanks so much for the PR and sorry for the delay in responding! Will check this out shortly.

@kcchu I finally pushed some larger-scale changes to the repo that change the way this feature needs to be implemented. If you don't have the cycles to rebase these on...

I agree that this certainly feels more useful than a "was_write_payload_encrypted", which was implemented because it's trivial. To implement `will_write_payload_encrypt` feels hairier, because it basically involves doing a "dry run"...

Snow doesn't currently support secp256k1, although I'm very open to supporting it.

@tarcieri it errors at the DH calculation which does properly return an `Err`, not the GroupElement construction. That said, this should return a `Result` too, so I'll fix that. I...

My concern about the workaround of always returning a `[0u8; 32]` on libsodium failure is if the library ever introduced another failure case that's _not_ related to providing a low-order...

> Where does point validation occur in `sodiumoxide`? If it fails during scalar mult, then I think the current implementation is fine. I agree that it's kind of... counterintuitive, but...

@gedigi (*one year later*) I think that this seems like a pretty reasonable way to go, and people that want a less secure keypair struct can simply make their own...