[PATCH] Truncate hash values for ECDSA signature scheme

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Mon Dec 16 23:47:10 CET 2013

On Tue, Dec 17, 2013 at 1:48 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Mon, 2013-12-16 at 22:05 +0400, Dmitry Eremin-Solenikov wrote:
>> >> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify):
>> >>   as required by ECDSA scheme, truncate hash values to bitlength of
>> >>   used curve.
>> > Please explain and name the specs.  In particular I wonder about
>> > truncating the less significant bits.
>> I don't have access to specs (thanks ANSI), I'm still researching this topic.
>> Wikipedia slighlty mentions that: https://en.wikipedia.org/wiki/ECDSA
> The spec for ECDSA (and DSA) is FIPS-186-4 [0]. I believe the text you
> are looking for is: "When the length of the output of the hash function
> is greater than the bit length of n, then the leftmost n bits of the
> hash function output block shall be used in any calculation using the
> hash function output during the generation or verification of a digital
> signature."
> [0]. http://csrc.nist.gov/publications/PubsFIPS.html

Ah,  I see, I skimmed FIPS 186-4, but I was mostly paying attention
to ECDSA paragraphs, not to the generic ones.  However your
quote broadens my question. I checked dsa_sign() function and its
sign() part - it looks like gcrypt shoud also truncate an mpi there (it is done
only for originally-opaque mpis, not for 'normal' ones).
Should it or should it not?

With best wishes

More information about the Gcrypt-devel mailing list