Correct method to generate a Curve25519 keypair

Alexander Lyon arlyon at
Sat Jun 23 02:39:47 CEST 2018


To preface, apologies if I am unconventional or naive; I am a little new to this.

I am having issues with generating a Curve25519 key pair using gcry_pk_genkey. Specifically the private key doesn't match the expected bitmask (as defined here nor does the generated public key match the expected value (in this case derived by manually applying the bit mask to the private key and calculating it with a different library).

This is the S-expression used to generate the key:

            (curve "Curve25519")
            (flags djb-tweak comp)

And an example snippet of code to extract the public and private keys, generating the sexp, extracting the mpis and then converting the compressed public key mpi into a point before extracting the X coordinate (the Y and Z were 0x01 and 0x00 respectively).

    gcry_sexp_build( &sexp_params, NULL,
                     "    (ecc"
                     "        (curve \"Curve25519\")"
                     "        (flags djb-tweak comp)"
                     "    )"
                     ")" );

    gcry_sexp_t sexp_curve25519_keypair;
    gcry_pk_genkey( &sexp_curve25519_keypair, sexp_params );

    gcry_ctx_t ctx_curve;
    gcry_mpi_ec_new( &ctx_curve, NULL, "Curve25519" );

    gcry_mpi_t mpi_curve_priv_key;
    gcry_mpi_t mpi_curve_pub_compressed;
    gcry_mpi_point_t point_curve_pub_key = gcry_mpi_point_new( 0 );
    gcry_sexp_extract_param( sexp_curve25519_keypair, NULL, "qd", &mpi_curve_pub_compressed, &mpi_curve_priv_key, NULL );
    gcry_mpi_ec_decode_point( point_curve_pub_key, mpi_curve_pub_compressed, ctx_curve );

At this point, when checking the results in the debugger it is clear that the generated keys are incorrect:

    > gcry_mpi_dump(mpi_curve_priv_key)


    > gcry_mpi_dump(point_curve_pub_key->x)


    > bytes_curve_priv_key[0] == (bytes_curve_priv_key[0] & 248)


    > bytes_curve_priv_key[31] == ((bytes_curve_priv_key[31] & 127) | 64)


What could be causing this? What is the correct way to generate a key pair?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Gcrypt-devel mailing list