The value d (was: [git] GCRYPT - branch, master, updated. libgcrypt-1.5.0-273-g1c6660d)
NIIBE Yutaka
gniibe at fsij.org
Thu Sep 26 02:21:39 CEST 2013
I read "High-speed high-security signatures", by Daniel J. Bernstein,
et al., and find the definition of ED25519 in the page 7 to page 8.
Specifically:
q = 2^255 - 19
l = 2^252 + 27742317777372353535851937790883648493
d = -121665/121666 (of element in Fq)
B is the unique point (x, 4/5) of element in E where x is positive
Edwards curve E: -x^2 + y^2 = 1 - d*x^2*y^2
> diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c
> index 6683189..0641779 100644
> --- a/tests/t-mpi-point.c
> +++ b/tests/t-mpi-point.c
[...]
> @@ -113,6 +121,15 @@ static struct
> "0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e6"
> "62c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"
> },
> + {
> + "Ed25519",
> + "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
> + "-0x01",
> + "-0x98412DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235EC8FEDA4",
> + "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
> + "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
> + "0x6666666666666666666666666666666666666666666666666666666666666658"
> + },
> { NULL, NULL, NULL, NULL, NULL }
> };
>
Here,
0x98412DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235EC8FEDA4
is: (121666^-1 mod q)*121665.
(121666^-1) * 121665 mod q is:
0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A
While it works for both, I think that shorter is better.
We have same value in the constant variable domain_parms in
cipher/ecc-curves.c.
--
More information about the Gcrypt-devel
mailing list