[PATCH 3/3] Add support for GOST R 34.10-2001/-2012 signatures

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Thu Oct 3 21:56:22 CEST 2013


On Thu, Oct 3, 2013 at 5:11 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
> If q = g and P = G for a GOST curve, there is nothing to distinguish
> If q < g and P /= G for a GOST curve, we need to distinguish dialects.
> If we have optional fields and let GOST curve has g and G too, we can
> compute ECDSA signature with GOST curve.

Hmm. It's my fault. In the standard itself, there are two distinct values:
m (the group order) and q (the subgroup order). However two facts
distracted me. First, in the both curves defined in standard m = q.
Second, rfc4357 (which supplements standards with exact parameters,
values, etc) defines only q parameter for the curves that are used/defined.

It looks like there is a possibility for m and q to differ. Thank you very much
for pointing me to it! Even if we verify that queues defined in rfc4357 use m=q,
there is absolutely guarantee that in future curves will follow.

So it really looks like a separate domain. At least from the 'pure
math' perspective.
I like the Werner's idea of DIALECT_SUBGROUP. It defines the curve parameters
and still leaves enough space for possible standards/curves which decide to use
subgroup instead of full group.

Werner, would you take first two patches in this serie?

With best wishes

More information about the Gcrypt-devel mailing list