Add extra explanatory comment about the DSA k generation.

[originally from svn r1285]
2025-01-09 17:38:00 +00:00 · 2001-09-22 21:00:16 +00:00 · 2001-09-22 21:00:16 +00:00 · 8306df80a4
commit 8306df80a4
parent d345ebc2a5
1 changed files with 10 additions and 3 deletions
--- a/sshdss.c
+++ b/sshdss.c
@ -546,9 +546,16 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
     * signing the same hash twice with the same key yields the
     * same signature.
     * 
-     * (It doesn't, _per se_, protect against reuse of k. Reuse of
-     * k is left to chance; all it does is prevent _excessively
-     * high_ chances of reuse of k due to entropy problems.)
+     * Despite this determinism, it's still not predictable to an
+     * attacker, because in order to repeat the SHA-512
+     * construction that created it, the attacker would have to
+     * know the private key value x - and by assumption he doesn't,
+     * because if he knew that he wouldn't be attacking k!
+     *
+     * (This trick doesn't, _per se_, protect against reuse of k.
+     * Reuse of k is left to chance; all it does is prevent
+     * _excessively high_ chances of reuse of k due to entropy
+     * problems.)
     * 
     * Thanks to Colin Plumb for the general idea of using x to
     * ensure k is hard to guess, and to the Cambridge University