RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6090, "Fundamental Elliptic Curve Cryptography Algorithms", February 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 2777
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Annie Yousar
Date Reported: 2011-04-11
Held for Document Update by: Sean Turner

Section 7.2 says:

KT-I is mathematically and functionally equivalent to ECDSA, and can interoperate
with the IEEE [P1363] and ANSI [X9.62] standards for Elliptic Curve DSA (ECDSA)
based on fields of characteristic greater than three.  KT-I signatures can be
verified using the ECDSA verification algorithm, and ECDSA signatures can be
verified using the KT-I verification algorithm.

It should say:

For many hash functions KT-I is mathematically and functionally equivalent to
ECDSA, and can interoperate with the IEEE [P1363] and ANSI [X9.62] standards for
Elliptic Curve DSA (ECDSA) based on fields of characteristic greater than three.
KT-I signatures can be verified using the ECDSA verification algorithm, and ECDSA
signatures can be verified using the KT-I verification algorithm (refer to
Section 10.4).

Notes:

If the hash function h generates a bit string that has a bit length greater than the bit length of the elliptic curve group order, ECDSA as specified in P1363 uses a truncation of the hash value to the left-most bits. The KT-I algorithm does not use this truncation but reduces modulo q. Therefore ECDSA and KT-I with SHA-384 on the P-256 curve result in different signature values. Add a corresponding note in 10.4: The output of the hash used in KT signatures should truncated to the left-most bits if its bit-length is longer than the bit-length of the group order.

Report New Errata