Questions tagged [dsa]

The Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS), specified in FIPS 186, adopted in 1993. A minor revision was issued in 1996 as FIPS 186-1. The standard was expanded further in 2000 as FIPS 186-2 and again in 2009 as FIPS 186-3.

528 questions

votes

1 answer

Making ECDSA public keys one bit shorter

In compressed form, ECDSA public keys are one bit larger than the curve size. There are some situations where this extra bit is extremely inelegant. So I had the following idea as a way to remove it. For a public key, the extra bit is always zero…

dsa

asked Mar 28 '12 at 05:46

David Schwartz

4,729
19
31

votes

1 answer

RFC 6979 - Why not simply hash the message & the private key for deterministic ECDSA?

Why go through the trouble of using the HMAC_DRBG process, instead of simply hashing [message | private key] to calculate $k$ for deterministic ECDSA? If the resulting $k$ or the signature is invalid, then a known byte value can be appended to the…

dsa

asked Nov 29 '14 at 15:42

thera

votes

1 answer

Why use $(r,s)$ instead of $(r,s^{-1})$ as DSA signature?

A DSA signature consists of two scalars $(r,s)$. When signing $s$ is generated as: $s=k^{-1}(H(m)+xr) \mod q$ The signature is $(r,s)$ When verifying $s$ is only used to compute $w = s^{-1}$. So why does DSA store $s$ in the signature instead of…

dsa

asked Jun 05 '13 at 13:49

CodesInChaos

24,841
2
89
128

votes

2 answers

How is the x coordinate of a "point at infinity" encoded in a Secp256k1 signature?

I'm testing an implementation of Bitcoin, which uses the curve Secp256k1 for ECDSA, and I want to see how it handles the point at infinity ($0$) if present in a signature. For example, r could be the x coordinate of the encoding of the point at…

dsa

asked Jan 28 '13 at 20:40

SDL

1,867
13
25

votes

2 answers

Is there any weak message for an ECDSA signature?

Suppose ECDSA is used without hashing the message, but directly using a short message (say 10-bytes long) as the value z (using the definitions at http://en.wikipedia.org/wiki/Elliptic_Curve_DSA) because we need extremely fast signing with ECDSA in…

dsa

asked Jul 22 '13 at 22:30

SDL

1,867
13
25

votes

2 answers

Is DSA vulnerable if verifier doesn't check r' > 0?

If a DSA implementation neglects to check $r' > 0$ when verifying signatures, what are the consequences? Creating a forged $s$ would seem to require solving for $k$ $g^k mod\ p = nq$ which is still a hard problem? Assume that all other range checks…

dsa

asked Jun 13 '17 at 13:38

ardsa

votes

1 answer

Why do we truncate the hash when using DSA?

All the articles I read on the web about DSA keep telling me that the size of the hash needs to be truncated so that the bit length is equal to or lesser than the bit length of the prime number of the field. For example, Wikipedia says: Choose an…

dsa

asked May 24 '15 at 09:17

PicPuc

votes

1 answer

Adding two public keys

secp256k1 (the signature scheme used by Bitcoin) has the interesting property that you can add two public keys to get a combined key that requires both private keys to produce signatures for. Is there another, more widely used public key…

dsa

asked Apr 26 '15 at 06:43

Nick ODell

votes

1 answer

Does the size of a ECDSA key determine the hash algorithm?

I am a bit lost in understanding what I read on authentication, signature, etc. For instance, is the size of the ECDSA keys produced by ssh-keygen -t ecdsa -b 256 linked to the hash used (SHA256) when computing the signature?

dsa

asked Oct 24 '14 at 10:32

lalebarde

votes

1 answer

A missing step in ECDSA signature verification implementation

On the Wikipedia page of ECDSA, it is stated in step 6 of the verification algorithm that If (x1,y1)=O then the signature is invalid. In X9.62, it is also stated that If u1G + u2Q is the point at infinity, then reject the signature. However, I…

dsa

asked Feb 25 '19 at 09:31

youfu

votes

1 answer

Is a padded 128 bit private key enough for ecdsa 256?

According to the following, ecdsa-256 only provides ~128 bit security even for 256 bit private key: A multi-target attack on 128-bit ECDSA private keys If the private key has only 128 bit entropy but constant-padded to 256 bit, then the…

dsa

asked Oct 19 '22 at 07:39

somebody4

votes

1 answer

DSA: If signature is accepted then signature is correct

In one my classes, I have the following exercise: Prove that, in the DSA signature scheme, if a DSA signature is accepted, it is also correct. How would I go about proving this? In cryptography, what is one usually referring to when saying a…

dsa

asked May 24 '20 at 11:29

BlockchainThomas

votes

1 answer

Appending ECDSA signature to a message

I need to authenticate a message sent to an embedded device (which limits my options in terms of just using an existing convention). I can run ECDH/ECDSA on the device and can use SHA-256 as a hash function but pretty much anything else is beyond…

dsa

asked Jul 20 '18 at 19:35

user1139455

votes

1 answer

Why does DSA require that a new $k$ be chosen and the algorithm restarted if $s=0$?

DSA is an algorithm used to generate a digital signature, which consists of a pair of values $(r,s)$. The algorithm computes $r$ first and then $s$. However, if we calculate $s=0$, it says to restart the algorithm choosing a different pseudorandom…

dsa

asked Apr 27 '16 at 00:56

flubsy

votes

1 answer

Attack on DSA modification with bad hash function

Given a (bad) modification of DSA where the hash function is the identity ($H(m)=m$), I am now supposed to design an attack. So $(m, (r,s))$ are given and I should be able to create a legit signature $(r',s')$ for a chosen $m'$ (of course $m'\neq…

dsa

asked Jul 15 '14 at 09:02

stefanbschneider

2 3 Next