Are we ready for 1.7 ?

Werner Koch wk at
Fri Apr 8 08:53:15 CEST 2016

On Fri,  8 Apr 2016 04:34, gniibe at said:

> For (2), I think that it is GnuPG (the user of libgcrypt) which should
> check/validate the input.  I'll post to gnupg-devel.


>     def decodeScalar25519(k):
>        k_list = [ord(b) for b in k]
>        k_list[0] &= 248
>        k_list[31] &= 127
>        k_list[31] |= 64
>        return decodeLittleEndian(k_list, 255)
> Currently, in libgcrypt, this tweak is done in key generation.  This
> tweak of scalar value is not included in the computation of
> gcry_mpi_ec_mul_point itself.  (I did implemented so, following the

I don't fully understand.  gcry_mpi_ec_mul_point does not do any
decoding at all.  This should be done by _gcry_ecc_mont_decodepoint for

> Even if our key generation does the tweak, I think that it is good to
> also include the tweak of scalar value in gcry_mpi_ec_mul_point, so
> that the routine will be compatible to crypto_scalarmult, for the sake
> of least surprise by programmers.

Our processing model is a but different so that a 1-1 relationship with
other code is not necessary needed.  But I may have not understand the
issue.  A patch may help me to understand it better.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list