Thanks for the explanation! Best regards,
Dinis terça-feira, 19 de Maio de 2015 às 12:12:45 UTC+1, jean-pierre.muench escreveu: > > Hey Dinis, > > Yes you're right. The signing operation will hard-fail in debug mode only. > An invalid r and s is detected at the verification operation. (function > below), as r=0<1 triggers the "return false" > > Why does a "good" PRNG prevent r and s from being 0? > Because assuming k is chosen uniformly at random you'll get a random point > for the message (k*G) and hence a random x-coordinate resulting in a random > r (= x mod n). The probability that r=0 with this assumption is around > 2^-256 (=negligible) or less. (Because you need to hit one specific value > out of a range of a lot others) > Concerning s the same argument applies. You first invert k resulting in > another random value. You multiply this by some other (more or less) random > values and get a resulting random value s. The probability that s is 0 > should also be around 2^-256 (=negligible). > > BR > > JPM > > Am 19.05.2015 um 11:28 schrieb Dinis Paes: > > Hi Jean-Pierre, > > Thanks for your reply.I looked at the code and I would say that > depending on the definition of NDEBUG it's either possible to have zeros > for 'r' and 's' or the program aborts. > I'm not an expert on this subject but can a "good" PRNG by itself prevent > 'r' and 's' from being zero independently of the contents of the message > being signed? > > Best regards, > > Dinis > > segunda-feira, 18 de Maio de 2015 às 22:02:07 UTC+1, jean-pierre.muench > escreveu: >> >> Hey Dinis, >> >> I just re-read the specification on wikipedia and it explicitly excluded >> r and s from being zero. (because it would be a security threat) >> Hence it should be the case that r or s being zero will never happen and >> will trigger a re-choice of k. >> >> Well I just re-looked into the code and it looks like Wei Dai decided to >> go a different route and just assume that this will never happen with a >> "good" PRNG and hence just trigger an assertion error. >> >> You can verify yourself in the class DL_Algorithm_GDSA<>::Sign() in the >> file gfpcrypt.h . The ECDSA implementation is an EC-instantiation of this, >> as can be read in eccrypto.h from the following line >> >> class DL_Algorithm_ECDSA : public DL_Algorithm_GDSA<typename EC::Point> >> >> >> BR >> >> JPM >> >> Am 18.05.2015 um 12:05 schrieb Dinis Paes: >> >> Hi all, >> >> Is it possible for crypto++ to generate an ECDSA signature where either >> 'r' or 's' are zero or does it try again with a different 'k' if any of >> those values is zero? >> I apologize if this question was asked before but I couldn't find it in >> the forum. >> >> I'm using: >> crypto++ 5.6.2 >> Linux 2.6.32-431.29.2.el6.x86_64 >> gcc 4.8.2 >> >> Thanks for your help, >> >> Dinis >> -- >> -- >> You received this message because you are subscribed to the "Crypto++ >> Users" Google Group. >> To unsubscribe, send an email to [email protected]. >> More information about Crypto++ and this group is available at >> http://www.cryptopp.com. >> --- >> You received this message because you are subscribed to the Google Groups >> "Crypto++ Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to [email protected] > <javascript:>. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google Groups > "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
