summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2011-04-08 12:59:25 (GMT)
committerWerner Koch <wk@gnupg.org>2011-04-08 12:59:25 (GMT)
commit50c35d1f2a0c8cb1f7480ba0bd046088b636afb9 (patch)
tree8b96de5f69c131e35555773d4314e24fa133995c
parentff10bd860da982d8ecad39a02156816998951e67 (diff)
downloadlibgcrypt-50c35d1f2a0c8cb1f7480ba0bd046088b636afb9.tar.gz
libgcrypt-50c35d1f2a0c8cb1f7480ba0bd046088b636afb9.tar.xz
Add a few comments to explain the generation of k.
-rw-r--r--cipher/dsa.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c
index d7631a1..0d8abcf 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -141,6 +141,11 @@ gen_k( gcry_mpi_t q )
unsigned int nbytes = (nbits+7)/8;
char *rndbuf = NULL;
+ /* To learn why we don't use mpi_mod to get the requested bit size,
+ read the paper: "The Insecurity of the Digital Signature
+ Algorithm with Partially Known Nonces" by Nguyen and Shparlinski.
+ Journal of Cryptology, New York. Vol 15, nr 3 (2003) */
+
if ( DBG_CIPHER )
log_debug("choosing a random k ");
for (;;)
@@ -156,13 +161,20 @@ gen_k( gcry_mpi_t q )
else
{ /* Change only some of the higher bits. We could improve
this by directly requesting more memory at the first call
- to get_random_bytes() and use this the here maybe it is
- easier to do this directly in random.c. */
+ to get_random_bytes() and use these extra bytes here.
+ However the required management code is more complex and
+ thus we better use this simple method. */
char *pp = gcry_random_bytes_secure( 4, GCRY_STRONG_RANDOM );
memcpy( rndbuf,pp, 4 );
gcry_free(pp);
}
_gcry_mpi_set_buffer( k, rndbuf, nbytes, 0 );
+
+ /* Make sure we have the requested number of bits. This code
+ looks a bit funny but it is easy to understand if you
+ consider that mpi_set_highbit clears all higher bits. We
+ don't have a clear_highbit, thus we first set the high bit
+ and then clear it again. */
if ( mpi_test_bit( k, nbits-1 ) )
mpi_set_highbit( k, nbits-1 );
else