Ed25519 key generation (was: triple DH)
Werner Koch
wk at gnupg.org
Thu May 21 17:12:04 CEST 2015
On Tue, 19 May 2015 13:56, christian at grothoff.org said:
> I noticed a two odd things. First, in 'ecc.c::nist_generate_key' you do
> (for EdDSA):
>
> rndbuf = _gcry_random_bytes_secure (32, random_level);
> rndbuf[0] &= 0x7f; /* Clear bit 255. */
> rndbuf[0] |= 0x40; /* Set bit 254. */
> rndbuf[31] &= 0xf8; /* Clear bits 2..0 so that d mod 8 == 0 */
> _gcry_mpi_set_buffer (sk->d, rndbuf, 32, 0);
>
> The bit operations may seem to be to follow the EdDSA spec, but that's
> actually false. Those
They are part of the Ed25519 curve specification. You find them in
nist_generate_key for plain use of the curve and slighly different in
_gcry_ecc_eddsa_genkey for generating a curve for use with EdDSA. Only
one of these functions is ever used by the opt level ecc_generate():
if ((flags & PUBKEY_FLAG_EDDSA))
rc = _gcry_ecc_eddsa_genkey (&sk, &E, ctx, flags);
else
rc = nist_generate_key (&sk, &E, ctx, flags, nbits, &Qx, &Qy);
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gcrypt-devel
mailing list