RFC Errata
RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013
Source of RFC: INDEPENDENTSee Also: RFC 6979 w/ inline errata
Errata ID: 3812
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Edward M Drayton
Date Reported: 2013-11-27
Verifier Name: Nevil Brownlee
Date Verified: 2014-02-03
Section 2.4 (page 8) says:
If r turns out to be zero, a new k should be selected and r
computed again (this is an utterly improbable occurrence).
4. The value s (modulo q) is computed:
s = (h+x*r)/k mod q
It should say:
If r turns out to be zero, a new k should be selected and r
computed again (this is an utterly improbable occurrence).
4. The value s (modulo q) is computed:
s = (h+x*r)/k mod q
If s turns out to be zero, a new k should be selected and r
and s computed again (a similarly improbable occurrence).
Notes:
My understanding is that if s is zero it has no multiplicative inverse so the signature cannot be verified. Worse, for DSA the private key can be computed directly from r and the public key components. (I'm not sure about ECDSA..)
If I'm right about this, section 3.4 and others are affected. If not, sorry for wasting your time :-(