diff --git a/key_schedule.go b/key_schedule.go
index 3cd6e82..83e5480 100644
--- a/key_schedule.go
+++ b/key_schedule.go
@@ -7,6 +7,7 @@ package tls
 import (
 	"crypto/elliptic"
 	"crypto/hmac"
+	"crypto/subtle"
 	"errors"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/curve25519"
@@ -193,8 +194,16 @@ func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte {
 	if len(peerPublicKey) != 32 {
 		return nil
 	}
+
 	var theirPublicKey, sharedKey [32]byte
 	copy(theirPublicKey[:], peerPublicKey)
 	curve25519.ScalarMult(&sharedKey, &p.privateKey, &theirPublicKey)
+
+	// Check for low-order inputs. See RFC 8422, Section 5.11.
+	var allZeroes [32]byte
+	if subtle.ConstantTimeCompare(allZeroes[:], sharedKey[:]) == 1 {
+		return nil
+	}
+
 	return sharedKey[:]
 }