[OTR-dev] No hash truncation in DSA signatures

Adam Langley agl at imperialviolet.org
Tue Nov 29 16:37:41 EST 2011

In http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html, it says:

"This is the signature, using the private part of the key pubB, of the
32-byte MB (which does not need to be hashed again to produce the

In http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, section 4.6:

"z = the leftmost min(N, outlen) bits of Hash(M)"

Where outlen is the output length of the hash function (256 here) and
N is the bit length of q (160 for OTR).

libgcrypt doesn't do this and, therefore, not does the OTR protocol. I
think it's worth making a note of that - it screwed me up for a while



Adam Langley agl at imperialviolet.org http://www.imperialviolet.org

More information about the OTR-dev mailing list