[OTR-dev] No hash truncation in DSA signatures

[Hannes Mehnert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Hi,

while implementing OTR I stumbled upon the very same issue... It'd be
great to clarify this in the spec, as suggested by Adam.

Cheers,

Hannes


On 11/29/2011 22:37, Adam Langley wrote:
> In http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html, it says:
> 
> "This is the signature, using the private part of the key pubB, of
> the 32-byte MB (which does not need to be hashed again to produce
> the signature)."
> 
> In http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf,
> section 4.6:
> 
> "z = the leftmost min(N, outlen) bits of Hash(M)"
> 
> Where outlen is the output length of the hash function (256 here)
> and N is the bit length of q (160 for OTR).
> 
> libgcrypt doesn't do this and, therefore, not does the OTR
> protocol. I think it's worth making a note of that - it screwed me
> up for a while :)
> 
> 
> Cheers
> 
> AGL
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJUTmMkAAoJELyJZYjffCjuu7UP/3Vw3X4q72Pfmuh+xuiHPFv5
qWP7Cjl0MLS2s5qzKJeeKgS6rx3G35NJCoHqfEJn9ZjjLUZauWjK4ZcZnk+EfLD0
4JmG2mrxAUc9AoNLoIE330oXYqXgxAsL/nSB12Gf1C17mrxCdUJ2FwU6GP7bC9Nx
VcktSOMAXK8CzaKEh7onK5ZDQp3FH2IFSzTzfdcTTy3Z1wTZE6RiTOVwi+bjBkzM
ipJL3HFYoYGr8CdGpDO3p6xTFzeGdsfK4E8noqJIJzPTpJoUi7hYp8wkUmnz19Za
9DUFqvd0RNnFKKs/lXJ2Vuo50fWCkU19qYeev/81vAM2z0zVPllGBbufwMzfzn38
nyBPaoGBUUImRI9iAWo+L+5tzkV+jB+7tURoBmsdyTo8oW2fyoVk/bLbRz8PnB0c
ZdXPux5QKqezOH6qPRS+qeOB4YIXgbjv2ePgNhFoBn6TphFnPyu7CAxTFlSL/GD6
lqF0QeVI/zJD3bpkxYXX0b4jmAJDWji5n3+Ycb9Wxi/GiR/Yh9AdFxjp42sYDY33
gLr8hoWzIi/yCxlBaK5vh8TpFGyFRbXyQBcNOyIs6+HvgSrD1zu/gAn874Yd1Hve
07N2s7OTA/gUonmEu+D3wGp1KU9SDvaNmWW31o0fuXkvju3yvUPdQ9ws/3hQZRDI
e/8T42HQB2yxucpHRF56
=U+xe
-----END PGP SIGNATURE-----