[PATCH] Truncate hash values for ECDSA signature scheme

Werner Koch wk at gnupg.org
Tue Dec 17 09:52:10 CET 2013

On Tue, 17 Dec 2013 08:37, nmav at gnutls.org said:

> My understanding is that truncation applies to both DSA and ECDSA (I'm


> not aware of the difference in opaque-mpis and normal ones though). It
> is more interesting that truncation should also apply on the bit-level
> (i.e., on a curve of 255 bits, the truncation of SHA256 should be done
> by a single bit), but I don't think any implementation does that.

Libgcrypt does that; itwas not readily accesible by my brain, given that
I mostly did EdDSA stuff the last weeks:

  /* Convert the INPUT into an MPI if needed.  */
  if (mpi_is_opaque (input))
      abuf = mpi_get_opaque (input, &abits);
      rc = _gcry_mpi_scan (&hash, GCRYMPI_FMT_USG, abuf, (abits+7)/8, NULL);
      if (rc)
        return rc;
      if (abits > qbits)
        mpi_rshift (hash, hash, abits - qbits);
    hash = input;

I am not 100% that the conversion to an unsigned integer and then
shifting the MPI is the right solution.  However, given that the same
code is in the DSA code and that passed the FIPS validation, it should
be okay.

In general I prefer to use opaque MPIs for hash values because that
avoids the leading zero problems and is anyway better for data which is
not a number.  For historic reasons an MPI is sometimes to passed to the
fucntions and thus we need to implement the two cases.

Having said this, I think it is okay to apply Dimitry's patch to the
master (1.7).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list