Yutaka Niibe at
Given the situation of libgcrypt structure, I had to use general purpose MPI routines, which was far from "constant-time".
I had known that it killed the important point of Curve25519, which is designed to be "constant-time".
I thought that "Still, it's better than nothing". Perhaps, this kind of attitude would not be good.
Well, along with quick fix of the vulnerability, I also do real improvement: https://dev.gnupg.org/T3358; While this becomes better implementation, it has not yet had field specific representation. The representation is still MPI. (Original implementation of Curve25519 uses limb of 2^51 to avoid carry between limbs.)
And... during this CVE handling, I realized that libgcrypt from Fedora/RedHat doesn't support Curve25519, because of ECC patent fear. It only enabled in the development version recently.
... in the development version recently.
I wrote this based on this comment:
But it seems that Curve25519 is already available in F26, with libgcrypt-1.7. If so, security fix by libgcrypt-1.7.9 should be used.