ECDSA for Edwards curve (was: [PATCH v2 2/2] Add support for GOST R 34.10-2001/-2012 signatures)

NIIBE Yutaka gniibe at
Mon Oct 21 09:46:13 CEST 2013

On 2013-10-17 at 08:44 +0200, Werner Koch wrote:
> On Wed, 16 Oct 2013 18:13, dbaryshkov at said:
> > And strangely enough it aborts in 50% of runs. Sometimes it does, sometimes
> > it just outputs a note regarding testkey and and exits normally.
> > I failed to capture a problem either via gdb or via valgrind.
> It is an algorithmic problem.

I think that I figure out the issue of failure.

In the function nist_generate_key, when we change the private key "d"
into -d, it assumes Weierstrass curve, where negative point of (x, y)
is (x, -y).

However, for Twisted Edwards curve, negative point of (u, v) is (-u, v).

Perhaps, compact form would be v only for Twisted Edwards curve.

Or, we could change the code so that we can have interfaces of
getting/setting affine point in the representation of corresponding
Weierstrass curve (x, y) for Twisted Edwards curve.  And public key is
specified by Weierstrass curve representation.

More information about the Gcrypt-devel mailing list