[PATCH] Truncate hash values for ECDSA signature scheme

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Dec 17 08:37:35 CET 2013

On Tue, 2013-12-17 at 02:47 +0400, Dmitry Eremin-Solenikov wrote:

> Ah,  I see, I skimmed FIPS 186-4, but I was mostly paying attention
> to ECDSA paragraphs, not to the generic ones.  However your
> quote broadens my question. I checked dsa_sign() function and its
> sign() part - it looks like gcrypt shoud also truncate an mpi there (it is done
> only for originally-opaque mpis, not for 'normal' ones).
> Should it or should it not?

My understanding is that truncation applies to both DSA and ECDSA (I'm
not aware of the difference in opaque-mpis and normal ones though). It
is more interesting that truncation should also apply on the bit-level
(i.e., on a curve of 255 bits, the truncation of SHA256 should be done
by a single bit), but I don't think any implementation does that.


More information about the Gcrypt-devel mailing list