18 Feb
2013
18 Feb
'13
1:13 p.m.
On Mon, Feb 18, 2013 at 1:10 PM, Niels Möller nisse@lysator.liu.se wrote:
And during signing, would it make sense to check if z s_1 = h (here, z is the private key, s_1 is the x coordinate of k G, and h is the message digest), and try a new random k in that case? In addition to the checks for s_1 == 0 or s_2 == 0?
The check looks like a good one on a first read, but isn't it the same as checking for k being 3? (or whatever fixed value).
No, just as for the other checks, the condition depends on both k and h.
So has this particular case higher probability than k being randomly chosen to be 3? (I've not seen this test anywhere else, that's why I'd be curious on why you mention this test).
regards, Nikos