[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)
gniibe at fsij.org
Thu Jul 23 10:02:58 CEST 2015
On 07/22/2015 10:21 PM, Werner Koch wrote:
> On Wed, 8 Jul 2015 02:34, gniibe at fsij.org said:
>> Here, I changed the meaning of '(flags eddsa)' a bit. Now, it means
>> that the key is in DJB format and under DJB processing:
> We should not overload that flag with a new meaning:
OK, I see.
Let me explain my point.
When I said "the key is in DJB format and under DJB processing", I meant:
Secret key is multiplied by cofactor and its msb is set.
Encryption/signature processing assumes such a secret key.
Well, let me call this "sec-is-multiplied-by-cofactor-and-msb-set",
For Curve25519, its model is MPI_EC_MONTGOMERY and its seret key
should come with a flag of sec-is-multiplied-by-cofactor-and-msb-set.
The eddsa flag already implies something like
sec-is-multiplied-by-cofactor-and-msb-set flag, since EdDSA
computation also assumes similar. I think that when we introduce
another curve for EdDSA, we will fix current hard-wired cofactor
handling and msb handling.
> We should keep the encoding separate.
I see, I will.
It is possible to define co-factor ECDH with Montgomery curve where
secret key is 1 <= d <= n, and ECDH computation is done by hkdG
(multiplied by cofactor). It's not implemented yet.
So, its meaning is sec-is-multiplied-by-cofactor-and-msb-set (not mont
or x-only, which is defined by curve's model or compression).
I don't have good naming for the flag though.
More information about the Gcrypt-devel