Re: Suggested changes for DSA2

[Ben Laurie <ben@xxxxxxxxxxxxx>]

Hal Finney wrote:
>     DSA signatures MUST use hashes that are equal to or larger than the
>     size of q, the group generated by the DSA key's generator value.
>     If the chosen hash is larger than the size of q, the hash result
>     is truncated to fit by taking a number of leftmost bits equal to
>     the number of bits in q.  This (possibly truncated) hash function
>     result is treated as a number and used directly in the DSA signature
>     algorithm.
> 
> Note that this truncation (or non-truncation) could still leave the
> hash as bigger than q, but that is OK as the signature and validation
> algorithms will either explicitly or implicitly take it mod q as it
> is used.  So I don't think we have to tell them to take it mod q.

Not sure what you mean by this - the point is that the hash should end
up with the same number of bits as q.

BTW, I don't believe truncation is actually required mathematically, but
it is presumably more efficient to truncate.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff