RFC Errata
Found 2 records.
Status: Verified (1)
RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013
Source of RFC: INDEPENDENT
Errata ID: 3812
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Edward M Drayton
Date Reported: 2013-11-27
Verifier Name: Nevil Brownlee
Date Verified: 2014-02-03
Section 2.4 (page 8) says:
If r turns out to be zero, a new k should be selected and r computed again (this is an utterly improbable occurrence). 4. The value s (modulo q) is computed: s = (h+x*r)/k mod q
It should say:
If r turns out to be zero, a new k should be selected and r computed again (this is an utterly improbable occurrence). 4. The value s (modulo q) is computed: s = (h+x*r)/k mod q If s turns out to be zero, a new k should be selected and r and s computed again (a similarly improbable occurrence).
Notes:
My understanding is that if s is zero it has no multiplicative inverse so the signature cannot be verified. Worse, for DSA the private key can be computed directly from r and the public key components. (I'm not sure about ECDSA..)
If I'm right about this, section 3.4 and others are affected. If not, sorry for wasting your time :-(
Status: Held for Document Update (1)
RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", August 2013
Source of RFC: INDEPENDENT
Errata ID: 5963
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Annie Yousar
Date Reported: 2020-01-23
Held for Document Update by: Adrian Farrel
Date Held: 2020-01-26
Section 3.2 says:
b. Set: V = 0x01 0x01 0x01 ... 0x01 such that the length of V, in bits, is equal to 8*ceil(hlen/8). : : c. Set: K = 0x00 0x00 0x00 ... 0x00 such that the length of K, in bits, is equal to 8*ceil(hlen/8).
It should say:
b. Set: V = 0x010101...01 such that the length of V, in bits, is equal to 8*ceil(hlen/8). : : c. Set: K = 0x000000...00 such that the length of K, in bits, is equal to 8*ceil(hlen/8).
Notes:
Hrmonize the notations in 3.2 and A.1.1, where the hex string q is denoted as
0x4000000000000000000020108A2E0CC0D99F8A5EF
and not as
0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x10 0x8A 0x2E 0x0C 0xC0 0x0D 0x99 0xF8 0xA5 0xEF.