RFC Errata


Errata Search
 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Verified (1)

RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013

Source of RFC: INDEPENDENT

Errata ID: 3812
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Edward M Drayton
Date Reported: 2013-11-27
Verifier Name: Nevil Brownlee
Date Verified: 2014-02-03

Section 2.4 (page 8) says: 

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q

It should say:

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q

     If s turns out to be zero, a new k should be selected and r
       and s computed again (a similarly improbable occurrence).

Notes:

My understanding is that if s is zero it has no multiplicative inverse so the signature cannot be verified. Worse, for DSA the private key can be computed directly from r and the public key components. (I'm not sure about ECDSA..)

If I'm right about this, section 3.4 and others are affected. If not, sorry for wasting your time :-(

Status: Held for Document Update (1)

RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013

Source of RFC: INDEPENDENT

Errata ID: 5963
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Annie Yousar
Date Reported: 2020-01-23
Held for Document Update by: Adrian Farrel
Date Held: 2020-01-26

Section 3.2 says: 

   b.  Set:

          V = 0x01 0x01 0x01 ... 0x01

       such that the length of V, in bits, is equal to 8*ceil(hlen/8).
:
:
   c.  Set:

          K = 0x00 0x00 0x00 ... 0x00

       such that the length of K, in bits, is equal to 8*ceil(hlen/8).

It should say:

   b.  Set:

          V = 0x010101...01

       such that the length of V, in bits, is equal to 8*ceil(hlen/8).
:
:
   c.  Set:

          K = 0x000000...00

       such that the length of K, in bits, is equal to 8*ceil(hlen/8).

Notes:

Hrmonize the notations in 3.2 and A.1.1, where the hex string q is denoted as
0x4000000000000000000020108A2E0CC0D99F8A5EF
and not as
0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x10 0x8A 0x2E 0x0C 0xC0 0x0D 0x99 0xF8 0xA5 0xEF.

Report New Errata



Advanced Search