diff options
author | Werner Koch <wk@gnupg.org> | 2011-04-08 14:59:25 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2011-04-08 14:59:25 +0200 |
commit | 50c35d1f2a0c8cb1f7480ba0bd046088b636afb9 (patch) | |
tree | 8b96de5f69c131e35555773d4314e24fa133995c /cipher/dsa.c | |
parent | ff10bd860da982d8ecad39a02156816998951e67 (diff) | |
download | libgcrypt-50c35d1f2a0c8cb1f7480ba0bd046088b636afb9.tar.gz |
Add a few comments to explain the generation of k.
Diffstat (limited to 'cipher/dsa.c')
-rw-r--r-- | cipher/dsa.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c index d7631a16..0d8abcfe 100644 --- a/cipher/dsa.c +++ b/cipher/dsa.c @@ -141,6 +141,11 @@ gen_k( gcry_mpi_t q ) unsigned int nbytes = (nbits+7)/8; char *rndbuf = NULL; + /* To learn why we don't use mpi_mod to get the requested bit size, + read the paper: "The Insecurity of the Digital Signature + Algorithm with Partially Known Nonces" by Nguyen and Shparlinski. + Journal of Cryptology, New York. Vol 15, nr 3 (2003) */ + if ( DBG_CIPHER ) log_debug("choosing a random k "); for (;;) @@ -156,13 +161,20 @@ gen_k( gcry_mpi_t q ) else { /* Change only some of the higher bits. We could improve this by directly requesting more memory at the first call - to get_random_bytes() and use this the here maybe it is - easier to do this directly in random.c. */ + to get_random_bytes() and use these extra bytes here. + However the required management code is more complex and + thus we better use this simple method. */ char *pp = gcry_random_bytes_secure( 4, GCRY_STRONG_RANDOM ); memcpy( rndbuf,pp, 4 ); gcry_free(pp); } _gcry_mpi_set_buffer( k, rndbuf, nbytes, 0 ); + + /* Make sure we have the requested number of bits. This code + looks a bit funny but it is easy to understand if you + consider that mpi_set_highbit clears all higher bits. We + don't have a clear_highbit, thus we first set the high bit + and then clear it again. */ if ( mpi_test_bit( k, nbits-1 ) ) mpi_set_highbit( k, nbits-1 ); else |