cv25519 scalar byte order
Vincent Breitmoser
look at my.amazin.horse
Tue Feb 13 23:03:58 CET 2018
Werner Koch(wk at gnupg.org)@Tue, Feb 13, 2018 at 01:51:12PM +0100:
> It would also be useful to explain you question with a hex dump of the
> parameters instead of just a verbal description.
Sure.
X25519 Input:
k = 45afc2b924ad66c34dd0508f4aac568f8b8b3c154f7ae44104b794c7551dfd88
u = b94121e20db0369d7cbbd8d09372bae2d48d6e990b5f60895f326235e195e134
X25519 Output:
bouncycastle and tink = c3843a427995b2031e160409b6b1a29700e6e84ee274283bd754f8f9df212313
GnuPG = 005acc6baccaaf72041b10ca74c24e311804958dc87cda5a1e96073c0b922726
See attached secret key and secret message with those values. This fails
to decrypt for me if I use k for the X25519 input (before SP800-56A),
but succeeds with reverse(k).
While implementing to spec, this was unexpected for me, and it took me
quite a while to figure out what GnuPG was doing differently. I also
double-checked, for EdDSA the MPI value is not similarly reversed before
it is handed as a scalar to the algorithm.
- V
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cv25519-encrypted.asc.gpg
Type: application/octet-stream
Size: 160 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180213/22a2f85d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cv25519-key.sec.asc.gpg
Type: application/octet-stream
Size: 466 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180213/22a2f85d/attachment-0001.obj>
More information about the Gnupg-devel
mailing list