Marcus Brinkmann marcus.brinkmann at
Mon Apr 30 01:09:05 CEST 2007

At Wed, 28 Mar 2007 14:20:33 +0200,
Simon Josefsson <simon at> wrote:
> I get failures for the 512 bit ECDSA signatures sometimes:
> jas at mocca:~/src/libgcrypt$ tests/benchmark ecc
> Algorithm       generate  100*sign  100*verify
> ----------------------------------------------
> ECDSA 192 bit       20ms     450ms       830ms
> ECDSA 224 bit       20ms     580ms      1040ms
> ECDSA 256 bit       30ms     720ms      1300ms
> ECDSA 384 bit       60ms    1620ms      3180ms
> ECDSA 521 bit      170ms    4030ms
> benchmark: verify failed: Bad signature
> jas at mocca:~/src/libgcrypt$
> It seems to fail about 25 % of the time or so.  Can you reproduce
> this?

And Werner Koch <wk at> writes:
> Yes.  I realized that too late.  It happens with all key sizes. Not
> sure whetehr I will be abale to debug it today.  I spend a bit too
> much time on ecc recently ;-)

And sbt at said:
> Every times that this appears when I am testing with gdb, the verification 
> broke the normal flow because (x!=r) in the ecc.c:658 comparison. I checking 
> out if the problem was in the signature process, and I thing not. IMHO I 
> think the problem could be in the coordinates conversion from projective to 
> affine.

I fixed this now.  The problem was indeed related to conversion from
projective to affine, but very superficial: If the affine y coordinate
used less bytes in their bit representation than the prime number,
then the memmove in ec2os would overwrite the y coordinate by some
shifted version of the x coordinate.  Fixed in revision 1237:

2007-04-30  Marcus Brinkmann  <marcus at>

        * ecc.c (ec2os): Fix relocation of short numbers.

I also fixed a bunch of memory leaks.


Gnupg-devel mailing list
Gnupg-devel at

More information about the Gnupg-devel mailing list