ECDSA for Edwards curve

Werner Koch wk at
Mon Oct 21 12:43:58 CEST 2013

On Mon, 21 Oct 2013 09:46, gniibe at said:

> I think that I figure out the issue of failure.

Me too.  By assuming a bug in the code it took me lots of hours to come
to the right conclusion :-(.

> In the function nist_generate_key, when we change the private key "d"
> into -d, it assumes Weierstrass curve, where negative point of (x, y)
> is (x, -y).
> However, for Twisted Edwards curve, negative point of (u, v) is (-u, v).

Yeah.  The question is why we should use that compression form for the
Edwards curve.  The very reason for the Ed25519/ECDSA hack is a special
need of GNUNET which can't be fulfilled by the standard ED25519 key
generation.  Jivsov's black box key generation algorithm would fix the
problem but be unusable for GNUNET as well.

> Or, we could change the code so that we can have interfaces of
> getting/setting affine point in the representation of corresponding
> Weierstrass curve (x, y) for Twisted Edwards curve.  And public key is
> specified by Weierstrass curve representation.

Or forget about Ed25519 and use P-256 directly?  Needs to be discussed
with the GNUnet folks.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list