Hello,
In master, I clean up the code of ECC. Now, for point representation
(in public key, in secret key, and in ephemeral key), it uses an opaque
bytes internally.
We have public API:
gcry_mpi_ec_get_mpi
gcry_mpi_ec_set_mpi
which is questionable these days (it's useful when we do experiment on
ECC domain parameters). I don't touch here.
For the public API gcry_mpi_ec_decode_point, it supports both
cases of an opaque bytes and normal MPI.
I found that for EdDSA, while the 0x40 prefix is used in public key
and secret key, in r of signature, there is no prefix. The places
where we still have problems are:
EdDSA r of signature: It's native point representation in little
endian with no prefix. Zero-byte at the beginnings may be removed,
thus we have left-pad-zero handling for input. For input, no prefix
is allowed.
EdDSA s of signature: It's native little endian. Zero-byte at the
beginnings may be removed, thus we have left-pad-zero handling for
input.
EdDSA private key bytes: It's fixed-length bytes. Zero-byte at the
beginnings may be removed, thus we have left-pad-zero handling, for
input.
I don't change those, for now.
--
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
In master, I clean up the code of ECC. Now, for point representation
(in public key, in secret key, and in ephemeral key), it uses an opaque
bytes internally.
We have public API:
gcry_mpi_ec_get_mpi
gcry_mpi_ec_set_mpi
which is questionable these days (it's useful when we do experiment on
ECC domain parameters). I don't touch here.
For the public API gcry_mpi_ec_decode_point, it supports both
cases of an opaque bytes and normal MPI.
I found that for EdDSA, while the 0x40 prefix is used in public key
and secret key, in r of signature, there is no prefix. The places
where we still have problems are:
EdDSA r of signature: It's native point representation in little
endian with no prefix. Zero-byte at the beginnings may be removed,
thus we have left-pad-zero handling for input. For input, no prefix
is allowed.
EdDSA s of signature: It's native little endian. Zero-byte at the
beginnings may be removed, thus we have left-pad-zero handling for
input.
EdDSA private key bytes: It's fixed-length bytes. Zero-byte at the
beginnings may be removed, thus we have left-pad-zero handling, for
input.
I don't change those, for now.
--
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel