Skip to content

ECDSA does not conform to RFC6979 for messages > curve_order #1063

New issue
New issue
Closed
Closed
ECDSA does not conform to RFC6979 for messages > curve_order#1063
@paulmillr

Description

@paulmillr
paulmillr
opened on Jan 14, 2022

RFC6979 3.2.d says:

K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))

where bits2octets is, as per RFC6979 2.3.4 curve order modulo-reduced message:

   The bits2octets transform takes as input a sequence of blen bits and
   outputs a sequence of rlen bits.  It consists of the following steps:

   1.  The input sequence b is converted into an integer value z1
       through the bits2int transform:

          z1 = bits2int(b)
   2.  z1 is reduced modulo q, yielding z2 (an integer between 0 and
       q-1, inclusive):

          z2 = z1 mod q

       Note that since z1 is less than 2^qlen, that modular reduction
       can be implemented with a simple conditional subtraction:
       z2 = z1-q if that value is non-negative; otherwise, z2 = z1.

   3.  z2 is transformed into a sequence of octets (a sequence of rlen
       bits) by applying int2octets.

The implementation's sign takes msg32 — not modulo-reduced msg, and passes it forward.

secp256k1/src/secp256k1.c

Line 476 in 0559fc6

ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);

Seems like a bug, which does not exist in go-btcec etc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions