There are a few systems like the GNU Name System and the Sphinx mixnet packet format that employ a series of curve25519 scalars all multiplied together as a private key.
Are there any caveats to multiplying several together like this? What about adding them or doing other arithmetic operations on scalars?
Another form of this question is : There are a several bits twiddled when a scalar is produced for Ed25519. What is the mathematical reasoning behind these modifications? How does it translate to producing a private key scalar for curve25519?
I found a partial answer here. At least the lower three bits are cleared to prevent a small subgroups attack, although there is debate over the effectiveness of this attack. I presume the small subgroup attack is a threat to the curve formulations used in both Ed25519 and curve25519 equally.
Now if one of the scalars being multiplied together is a multiple of 8 then they all are, so that's good. If all are multiples of 8, then addition looks good too, but addition with values that are not multiples of 8 could be problematic. Is this correct? What about the bit operations on higher bits? Why are they there? etc.
