Hey Dinis, Yes you're right. The signing operation will hard-fail in debug mode only. An invalid r and s is detected at the verification operation. (function below), as r=0<1 triggers the "return false"
Why does a "good" PRNG prevent r and s from being 0? Because assuming k is chosen uniformly at random you'll get a random point for the message (k*G) and hence a random x-coordinate resulting in a random r (= x mod n). The probability that r=0 with this assumption is around 2^-256 (=negligible) or less. (Because you need to hit one specific value out of a range of a lot others) Concerning s the same argument applies. You first invert k resulting in another random value. You multiply this by some other (more or less) random values and get a resulting random value s. The probability that s is 0 should also be around 2^-256 (=negligible). BR JPM Am 19.05.2015 um 11:28 schrieb Dinis Paes: > Hi Jean-Pierre, > > Thanks for your reply.I looked at the code and I would say that > depending on the definition of NDEBUG it's either possible to have > zeros for 'r' and 's' or the program aborts. > I'm not an expert on this subject but can a "good" PRNG by itself > prevent 'r' and 's' from being zero independently of the contents of > the message being signed? > > Best regards, > > Dinis > > segunda-feira, 18 de Maio de 2015 às 22:02:07 UTC+1, > jean-pierre.muench escreveu: > > Hey Dinis, > > I just re-read the specification on wikipedia and it explicitly > excluded r and s from being zero. (because it would be a security > threat) > Hence it should be the case that r or s being zero will never > happen and will trigger a re-choice of k. > > Well I just re-looked into the code and it looks like Wei Dai > decided to go a different route and just assume that this will > never happen with a "good" PRNG and hence just trigger an > assertion error. > > You can verify yourself in the class DL_Algorithm_GDSA<>::Sign() > in the file gfpcrypt.h . The ECDSA implementation is an > EC-instantiation of this, as can be read in eccrypto.h from the > following line > > class DL_Algorithm_ECDSA : public DL_Algorithm_GDSA<typename EC::Point> > > > BR > > JPM > > Am 18.05.2015 um 12:05 schrieb Dinis Paes: >> Hi all, >> >> Is it possible for crypto++ to generate an ECDSA signature where >> either 'r' or 's' are zero or does it try again with a different >> 'k' if any of those values is zero? >> I apologize if this question was asked before but I couldn't find >> it in the forum. >> >> I'm using: >> crypto++ 5.6.2 >> Linux 2.6.32-431.29.2.el6.x86_64 >> gcc 4.8.2 >> >> Thanks for your help, >> >> Dinis >> -- >> -- >> You received this message because you are subscribed to the >> "Crypto++ Users" Google Group. >> To unsubscribe, send an email to >> [email protected] <javascript:>. >> More information about Crypto++ and this group is available at >> http://www.cryptopp.com. >> --- >> You received this message because you are subscribed to the >> Google Groups "Crypto++ Users" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
