RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Verified (1)

RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013

Source of RFC: INDEPENDENT

Errata ID: 3812

Status: Verified
Type: Technical

Reported By: Edward M Drayton
Date Reported: 2013-11-27
Verifier Name: Nevil Brownlee
Date Verified: 2014-02-03

Section 2.4 (page 8) says:

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q


It should say:

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q

     If s turns out to be zero, a new k should be selected and r
       and s computed again (a similarly improbable occurrence).



Notes:

My understanding is that if s is zero it has no multiplicative inverse so the signature cannot be verified. Worse, for DSA the private key can be computed directly from r and the public key components. (I'm not sure about ECDSA..)

If I'm right about this, section 3.4 and others are affected. If not, sorry for wasting your time :-(

Report New Errata