I'm in conversation with Bouncy Castle devs. He noticed something in the section on generating shared secrets.

ECDH(a, B)
  K_ecdh = a * B
  if K_ecdh == 0 (check that it is an all-zero value)
     return error
  else
     return K_ecdh

He is wondering if if K_ecdh == 0 is a remnant of the Montgomery-based logic, where 0 is the neutral element as Montgomery u-coordinate. Given that we work with Edwards representation, should this be a comparison to (0, 1) (neutral element)? (or its corresponding binary encoding)

Hey!

Given that we work with Edwards representation, should this be a comparison to (0, 1) (neutral element)?

We are already checking for that:

Check that X is not equal to the identity element (I).

where the Identity element is:

Identity element (I)
  (x=0,
   y=1)

The reason why we check is because: Shared keys are created by contributory behaviour. Contributory behaviour means that both parties' private keys contribute to the resulting shared key. Since curve448 has a cofactor of 4, an input point of small order will eliminate any contribution from the other party's private key.