[PATCH] Truncate hash values for ECDSA signature scheme

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Mon Dec 16 19:05:22 CET 2013


On Mon, Dec 16, 2013 at 9:03 PM, Werner Koch <wk at gnupg.org> wrote:
> On Mon, 16 Dec 2013 17:34, dbaryshkov at gmail.com said:
>> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify):
>>   as required by ECDSA scheme, truncate hash values to bitlength of
>>   used curve.
>
> Please explain and name the specs.  In particular I wonder about
> truncating the less significant bits.

I don't have access to specs (thanks ANSI), I'm still researching this topic.
Wikipedia slighlty mentions that: https://en.wikipedia.org/wiki/ECDSA
At least this is what other libraries do:

OpenSSL
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/ecdsa/ecs_ossl.c;h=adab1f74b41daf6e719ca1fdae1ba817085c7802;hb=HEAD#l309

Nettle:
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-ecdsa-sign.c#line86
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-hash.c

NSS:
https://hg.mozilla.org/projects/nss/file/49360b638350/lib/freebl/ec.c#l746


Note: we are truncating hash, so there should be no difference in truncating
LSB or MSB. Both should be equally distributed.


-- 
With best wishes
Dmitry



More information about the Gcrypt-devel mailing list