[PATCH] Truncate hash values for ECDSA signature scheme

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Dec 16 22:48:10 CET 2013

On Mon, 2013-12-16 at 22:05 +0400, Dmitry Eremin-Solenikov wrote:

> >> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify):
> >>   as required by ECDSA scheme, truncate hash values to bitlength of
> >>   used curve.
> > Please explain and name the specs.  In particular I wonder about
> > truncating the less significant bits.
> I don't have access to specs (thanks ANSI), I'm still researching this topic.
> Wikipedia slighlty mentions that: https://en.wikipedia.org/wiki/ECDSA

The spec for ECDSA (and DSA) is FIPS-186-4 [0]. I believe the text you
are looking for is: "When the length of the output of the hash function
is greater than the bit length of n, then the leftmost n bits of the
hash function output block shall be used in any calculation using the
hash function output during the generation or verification of a digital

[0]. http://csrc.nist.gov/publications/PubsFIPS.html


More information about the Gcrypt-devel mailing list