[OTR-dev] No hash truncation in DSA signatures
agl at imperialviolet.org
Tue Nov 29 16:37:41 EST 2011
In http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html, it says:
"This is the signature, using the private part of the key pubB, of the
32-byte MB (which does not need to be hashed again to produce the
In http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, section 4.6:
"z = the leftmost min(N, outlen) bits of Hash(M)"
Where outlen is the output length of the hash function (256 here) and
N is the bit length of q (160 for OTR).
libgcrypt doesn't do this and, therefore, not does the OTR protocol. I
think it's worth making a note of that - it screwed me up for a while
Adam Langley agl at imperialviolet.org http://www.imperialviolet.org
More information about the OTR-dev