IA-32 Tor users with NaCl may be distinguishable from others
curve25519-donna and curve25519-donna-c64 make no special effort to retain the high bit of a public-key coordinate-field element.
The ref implementation in NaCl makes no special effort to clear it. (Fortunately, Tor refuses to use this one.)
The non-free athlon implementation in NaCl is an unreadable blob with no source code in sight, and I don't have a 32-bit environment to test it in handy, but a web page documenting an earlier version of that implementation ([http://cr.yp.to/ecdh.html#validate]) seems to imply that the high bit is considered part of the coordinate-field element. If this is true, it's an anonymity issue for Tor users who use the ntor handshake.
The donna_c64 implementation in NaCl has the same behaviour as the curve25519-donna-c64 implementation shipped with Tor.
Tor must either clear the high bit of every Curve25519 public key it uses, or reduce every Curve25519 public key modulo the field order (the former is easier and consistent with the behaviour of the free Curve25519 implementations shipped in the Tor source package).
(It appears that a relay can only exploit this by causing a user's handshake to fail, but it's still an anonymity bug.)