[git] GCRYPT - branch, master, updated. post-nuke-of-trailing-ws-26-g50c35d1

by Werner Koch cvs at cvs.gnupg.org
Fri Apr 8 15:34:11 CEST 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  50c35d1f2a0c8cb1f7480ba0bd046088b636afb9 (commit)
      from  ff10bd860da982d8ecad39a02156816998951e67 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 50c35d1f2a0c8cb1f7480ba0bd046088b636afb9
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Apr 8 14:59:25 2011 +0200

    Add a few comments to explain the generation of k.

diff --git a/cipher/dsa.c b/cipher/dsa.c
index d7631a1..0d8abcf 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -141,6 +141,11 @@ gen_k( gcry_mpi_t q )
   unsigned int nbytes = (nbits+7)/8;
   char *rndbuf = NULL;
 
+  /* To learn why we don't use mpi_mod to get the requested bit size,
+     read the paper: "The Insecurity of the Digital Signature
+     Algorithm with Partially Known Nonces" by Nguyen and Shparlinski.
+     Journal of Cryptology, New York. Vol 15, nr 3 (2003)  */
+
   if ( DBG_CIPHER )
     log_debug("choosing a random k ");
   for (;;)
@@ -156,13 +161,20 @@ gen_k( gcry_mpi_t q )
       else
         { /* Change only some of the higher bits.  We could improve
 	     this by directly requesting more memory at the first call
-	     to get_random_bytes() and use this the here maybe it is
-	     easier to do this directly in random.c. */
+	     to get_random_bytes() and use these extra bytes here.
+	     However the required management code is more complex and
+	     thus we better use this simple method.  */
           char *pp = gcry_random_bytes_secure( 4, GCRY_STRONG_RANDOM );
           memcpy( rndbuf,pp, 4 );
           gcry_free(pp);
 	}
       _gcry_mpi_set_buffer( k, rndbuf, nbytes, 0 );
+
+      /* Make sure we have the requested number of bits.  This code
+         looks a bit funny but it is easy to understand if you
+         consider that mpi_set_highbit clears all higher bits.  We
+         don't have a clear_highbit, thus we first set the high bit
+         and then clear it again.  */
       if ( mpi_test_bit( k, nbits-1 ) )
         mpi_set_highbit( k, nbits-1 );
       else

-----------------------------------------------------------------------

Summary of changes:
 cipher/dsa.c |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org

More information about the Gnupg-commits mailing list