Ed25519 key generation (was: triple DH)

Werner Koch wk at gnupg.org
Thu May 21 17:12:04 CEST 2015


On Tue, 19 May 2015 13:56, christian at grothoff.org said:

> I noticed a two odd things.  First, in 'ecc.c::nist_generate_key' you do
> (for EdDSA):
>
>       rndbuf = _gcry_random_bytes_secure (32, random_level);
>       rndbuf[0] &= 0x7f;  /* Clear bit 255. */
>       rndbuf[0] |= 0x40;  /* Set bit 254.   */
>       rndbuf[31] &= 0xf8; /* Clear bits 2..0 so that d mod 8 == 0  */
>       _gcry_mpi_set_buffer (sk->d, rndbuf, 32, 0);
>  
> The bit operations may seem to be to follow the EdDSA spec, but that's
> actually false. Those

They are part of the Ed25519 curve specification.  You find them in
nist_generate_key for plain use of the curve and slighly different in
_gcry_ecc_eddsa_genkey for generating a curve for use with EdDSA.  Only
one of these functions is ever used by the opt level ecc_generate():

  if ((flags & PUBKEY_FLAG_EDDSA))
    rc = _gcry_ecc_eddsa_genkey (&sk, &E, ctx, flags);
  else
    rc = nist_generate_key (&sk, &E, ctx, flags, nbits, &Qx, &Qy);



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gcrypt-devel mailing list