Suspicious about sign_ecdsa

Dmitry Eremin-Solenikov dbaryshkov at
Tue Sep 24 21:48:14 CEST 2013


While implementing GOST EC signatures, I stumbled upon sign_edsa() function.
It contains two nested while() loops and a comment regarding inner (generate k,
compute r loop) that is is a while and not do_while, because we don't want to
recompute r.

This made me extremely suspicious. It looks to me like a possible endless loop.
If generated k makes r != 0, but s = 0, sign_ecdsa will loop forever, as code
outside while (r != 0) loop does not contain any non-deterministic option.

In my opinion, the code should look this way:

while (s != 0)
   do {
      k = generate();
      r = calculate(k);
   } while (r != 0)
   s = calculate(r, k);

What is your opinion?

With best wishes

More information about the Gcrypt-devel mailing list