ec subtract

NIIBE Yutaka gniibe at
Fri Jul 11 15:00:34 CEST 2014

On 2014-07-11 at 11:12 +0200, Markus Teich wrote:
> Wouldn't that imply that you don't want the user to implement crypto
> algorithms at all?

I don't say so.  With my limited experience, I don't have much
knowledge how good crypto library should be organized/structured.  I
just know that we should not build crypto routines on top of general
purpose MPI, and we need to care about possible attacks.

I'm afraid if current API or implementation of libgcrypt is good
enough for such users who want to implement crypto routines on top of

> I mean the Burmester-Desmedt Group Key Exchange adapted to elliptic curves[0].

Thank you.   I read the paper briefly, and I understand you want to use
subtraction, in the Figure 1. "uBD Setup".

> I am kind of new to EC, so which functions from libgcrypt (1.6.1) would you
> recommend to implement the ECBD?

Please don't take my comment as definitive.  It's my personal opinion.
I think that ECC in libgcrypt is relatively new and there is much room
to improve.

It is unfortunate now, subtraction of EC point is not exported
function.  If I were you and I had to stand with such a constraint,
I'd use negative scalar for n in [n]P.  I mean, I would have to modify
the expression:

    Xi = [ri](Zi+1 - Zi-1)
    one point subtraction and one scalar multiplication of point


    Xi = [ri]Zi+1 + [-ri]Zi-1
    two scalar multiplications of point and one point addition

More information about the Gcrypt-devel mailing list