[PATCH] Truncate hash values for ECDSA signature scheme
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Dec 16 22:48:10 CET 2013
On Mon, 2013-12-16 at 22:05 +0400, Dmitry Eremin-Solenikov wrote:
> >> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify):
> >> as required by ECDSA scheme, truncate hash values to bitlength of
> >> used curve.
> > Please explain and name the specs. In particular I wonder about
> > truncating the less significant bits.
>
> I don't have access to specs (thanks ANSI), I'm still researching this topic.
> Wikipedia slighlty mentions that: https://en.wikipedia.org/wiki/ECDSA
The spec for ECDSA (and DSA) is FIPS-186-4 [0]. I believe the text you
are looking for is: "When the length of the output of the hash function
is greater than the bit length of n, then the leftmost n bits of the
hash function output block shall be used in any calculation using the
hash function output during the generation or verification of a digital
signature."
[0]. http://csrc.nist.gov/publications/PubsFIPS.html
regards,
Nikos
More information about the Gcrypt-devel
mailing list