[prev in list] [next in list] [prev in thread] [next in thread]
List: otr-dev
Subject: [OTR-dev] No hash truncation in DSA signatures
From: Adam Langley <agl () imperialviolet ! org>
Date: 2011-11-29 21:37:41
Message-ID: CAMfhd9VZpavHY46rLk6dJHD_hkQn1MtGjOK4YCQvRSnZNFLKhw () mail ! gmail ! com
[Download RAW message or body]
In http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html, it says:
"This is the signature, using the private part of the key pubB, of the
32-byte MB (which does not need to be hashed again to produce the
signature)."
In http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, section 4.6:
"z = the leftmost min(N, outlen) bits of Hash(M)"
Where outlen is the output length of the hash function (256 here) and
N is the bit length of q (160 for OTR).
libgcrypt doesn't do this and, therefore, not does the OTR protocol. I
think it's worth making a note of that - it screwed me up for a while
:)
Cheers
AGL
--
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
_______________________________________________
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic