[PATCH] Truncate hash values for ECDSA signature scheme
Dmitry Eremin-Solenikov
dbaryshkov at gmail.com
Mon Dec 16 19:05:22 CET 2013
On Mon, Dec 16, 2013 at 9:03 PM, Werner Koch <wk at gnupg.org> wrote:
> On Mon, 16 Dec 2013 17:34, dbaryshkov at gmail.com said:
>> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify):
>> as required by ECDSA scheme, truncate hash values to bitlength of
>> used curve.
>
> Please explain and name the specs. In particular I wonder about
> truncating the less significant bits.
I don't have access to specs (thanks ANSI), I'm still researching this topic.
Wikipedia slighlty mentions that: https://en.wikipedia.org/wiki/ECDSA
At least this is what other libraries do:
OpenSSL
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/ecdsa/ecs_ossl.c;h=adab1f74b41daf6e719ca1fdae1ba817085c7802;hb=HEAD#l309
Nettle:
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-ecdsa-sign.c#line86
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-hash.c
NSS:
https://hg.mozilla.org/projects/nss/file/49360b638350/lib/freebl/ec.c#l746
Note: we are truncating hash, so there should be no difference in truncating
LSB or MSB. Both should be equally distributed.
--
With best wishes
Dmitry
More information about the Gcrypt-devel
mailing list