[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)

NIIBE Yutaka gniibe at fsij.org
Thu Jul 23 10:02:58 CEST 2015

On 07/22/2015 10:21 PM, Werner Koch wrote:
> On Wed,  8 Jul 2015 02:34, gniibe at fsij.org said:
>> Here, I changed the meaning of '(flags eddsa)' a bit.  Now, it means
>> that the key is in DJB format and under DJB processing:
> We should not overload that flag with a new meaning:

OK, I see.

Let me explain my point.

When I said "the key is in DJB format and under DJB processing", I meant:

	Secret key is multiplied by cofactor and its msb is set.

	Encryption/signature processing assumes such a secret key.

Well, let me call this "sec-is-multiplied-by-cofactor-and-msb-set",
for now.

For Curve25519, its model is MPI_EC_MONTGOMERY and its seret key
should come with a flag of sec-is-multiplied-by-cofactor-and-msb-set.

The eddsa flag already implies something like
sec-is-multiplied-by-cofactor-and-msb-set flag, since EdDSA
computation also assumes similar.  I think that when we introduce
another curve for EdDSA, we will fix current hard-wired cofactor
handling and msb handling.

> We should keep the encoding separate.

I see, I will.

It is possible to define co-factor ECDH with Montgomery curve where
secret key is 1 <= d <= n, and ECDH computation is done by hkdG
(multiplied by cofactor).  It's not implemented yet.

So, its meaning is sec-is-multiplied-by-cofactor-and-msb-set (not mont
or x-only, which is defined by curve's model or compression).

I don't have good naming for the flag though.

More information about the Gcrypt-devel mailing list