RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Verified (1)

RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013

Source of RFC: INDEPENDENT

Errata ID: 3812
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Edward M Drayton
Date Reported: 2013-11-27
Verifier Name: Nevil Brownlee
Date Verified: 2014-02-03

Section 2.4 (page 8) says:

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q


It should say:

     If r turns out to be zero, a new k should be selected and r
       computed again (this is an utterly improbable occurrence).

   4.  The value s (modulo q) is computed:

          s = (h+x*r)/k mod q

     If s turns out to be zero, a new k should be selected and r
       and s computed again (a similarly improbable occurrence).



Notes:

My understanding is that if s is zero it has no multiplicative inverse so the signature cannot be verified. Worse, for DSA the private key can be computed directly from r and the public key components. (I'm not sure about ECDSA..)

If I'm right about this, section 3.4 and others are affected. If not, sorry for wasting your time :-(

Status: Held for Document Update (1)

RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013

Source of RFC: INDEPENDENT

Errata ID: 5963
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT

Reported By: Annie Yousar
Date Reported: 2020-01-23
Held for Document Update by: Adrian Farrel
Date Held: 2020-01-26

Section 3.2 says:

   b.  Set:

          V = 0x01 0x01 0x01 ... 0x01

       such that the length of V, in bits, is equal to 8*ceil(hlen/8).
:
:
   c.  Set:

          K = 0x00 0x00 0x00 ... 0x00

       such that the length of K, in bits, is equal to 8*ceil(hlen/8).

It should say:

   b.  Set:

          V = 0x010101...01

       such that the length of V, in bits, is equal to 8*ceil(hlen/8).
:
:
   c.  Set:

          K = 0x000000...00

       such that the length of K, in bits, is equal to 8*ceil(hlen/8).

Notes:

Hrmonize the notations in 3.2 and A.1.1, where the hex string q is denoted as
0x4000000000000000000020108A2E0CC0D99F8A5EF
and not as
0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x10 0x8A 0x2E 0x0C 0xC0 0x0D 0x99 0xF8 0xA5 0xEF.

Report New Errata