Yesterday I switched to the current Libgcrypt master and this morning I realized that I was not anymore able to decrypt mails addressed to me. The reason is a change in the computation of the keygrip vor cv25519. This regression was part of commit rGc3f39b6b55db618f77e983125072081c15bfbdd6 which came with the comment
- cipher/ecc-curves.c (domain_parms): Fix as the errata of RFC.
The errata is https://www.rfc-editor.org/errata/eid4730 which changed the y coordinate of the base point:
The Montgomery form of the curve is generally used with a ladder, where the v coordinate is unused and unspecified. Thus I picked the smaller of the two possible values for v. However, the curve is birationally equivalent to edwards25519, where both coordinates of the base point are used and are already in widespread use. Sadly, picking the smaller of the values for v ends up mapping to the negative of the base point on edwards25519. This change replaces v with -v so that it matches up.
As stated in the description it does not matter for our purpose and keeping the keygrip the same is obviously more important than a correct parameter description. The simplest way to fix that would be to revert the change. Another option will be a dedicated keygrip computation for that curve.