cv25519 scalar byte order

Daniel Kahn Gillmor dkg at
Mon Feb 19 17:24:39 CET 2018

On Mon 2018-02-19 15:23:10 +0100, Werner Koch wrote:
> On Wed, 14 Feb 2018 06:13, gniibe at said:
>> I wonder if we have difference in the interpretation of secret part
>> (skey[3]).
>> In GnuPG, this part is interpreted as standard MPI representation
>> (big-endian).
>> For better interoperability, we could support the prefix 0x40 for this
>> secret part, I suppose.
> That would be incorrect.  The prefix (e.g. 0x40) indicates a _point_
> format and not the format of a scalar.  Thus skey[3] MAY not have this
> prefix.

what does this "MAY NOT" mean?  if this is an attempt at RFC 2119
language, i don't understand it.  Do you mean "MUST NOT" ?

What steps are needed to clarify the documentation here so that we can
have interoperable implementations?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list