yet another tiny feature: deterministic ECDSA

Christian Grothoff christian at grothoff.org
Fri Apr 12 15:24:45 CEST 2013


On 04/12/2013 01:55 PM, Werner Koch wrote:
 > On Fri, 12 Apr 2013 09:38, christian at grothoff.org said:
 >
 >> But not for what we're doing.  If you want to read up on the
 >> details, see https://gnunet.org/bugs/view.php?id=2564
 > What is your plan if you have to use a K which leads to either R or S
 > being 0?  ECDSA loops until it finds a suitable K.  Agreed, this is a
 > rare event but you better need to have a plan.

Well, I considered it rare enough to not care (if we fail in 1:2^256, 
that's fine by me),
but this has already been answered:

On 04/12/2013 03:16 PM, Tom Ritter wrote:
>
> There is a method to do deterministic DSA safely (as far as anyone 
> knows), that's been looked at some: 
> http://tools.ietf.org/html/draft-pornin-deterministic-dsa-01
>
> -tom
>

Using this method would be fine by me as well; I can supply 'h1' (the 
H(m)) instead of
the exact 'k' value.  What I care about is having an option to achieve 
determinism. Also,
as in our case 'm' itself is encrypted before being signed, I'd like to 
do the hashing myself
as using h1 = H(E(m)) will give the adversary (who doesn't know 'm') 
more information
about 'k' than simply using h1 = H(m).

Happy hacking!

Christian



More information about the Gcrypt-devel mailing list