ec subtract
Markus Teich
teichm at in.tum.de
Fri Aug 8 21:59:25 CEST 2014
NIIBE Yutaka wrote:
> If I were you and I had to stand with such a constraint, I'd use negative
> scalar for n in [n]P. I mean, I would have to modify the expression:
>
> Xi = [ri](Zi+1 - Zi-1)
> one point subtraction and one scalar multiplication of point
>
> into:
>
> Xi = [ri]Zi+1 + [-ri]Zi-1
> two scalar multiplications of point and one point addition
Heyho NIIBE,
actually this does not work for me:
gcry_mpi_ec_mul(*ret, priv, succ, edctx);
gcry_mpi_neg(tmp, priv);
gcry_mpi_ec_mul(tmpoint, tmp, pred, edctx);
gcry_mpi_ec_add(*ret, *ret, tmpoint, edctx);
with {*ret, succ, pred, tmpoint} beeing points and {tmp, priv} beeing mpis leads
to a wrong result, while:
gcry_mpi_point_get(x, y, z, pred);
gcry_mpi_neg(x, x);
gcry_mpi_point_set(tmpoint, x, y, z);
gcry_mpi_ec_add(tmpoint2, succ, tmpoint, edctx);
gcry_mpi_ec_mul(*ret, priv, tmpoint2, edctx);
leads to the correct result. At least both versions produce different *ret
values and the circle keys from step 3 only match if I use the second algorithm.
So I will stick with the second version until the native gcry_mpi_ec_sub is
released in v1.7.
--Markus
More information about the Gcrypt-devel
mailing list