Nikos Mavrogiannopoulos nmav@gnutls.org writes:
So has this particular case higher probability than k being randomly chosen to be 3? (I've not seen this test anywhere else, that's why I'd be curious on why you mention this test).
If the verify code is done as
P1 = u1*G P2 = u2*Y
P = P1 + P2
then an equivalent test is needed there, sine we have to do
if (P1 == P2) P = ecc_dup (P1) else P = ecc_add(P1 ,P2)
And if we do this test, it's trivial to extend it to
if (P1 == P2) { P = ecc_dup (P1) output private key (it's -u2/u1 (mod q) or something like that) } else P = ecc_add(P1 ,P2)
So *if* we think that handling this case correctly on the verify side is appropriate, then it seems reasonable, on the signing side, to make sure that it never occurs.
And conversely, if it's too unlikely to bother about when signing, do we need to bother about it when verifying signatures, or is it ok if ecdsa_verify outputs some incorrect result, most likely always "invalid", for this case ?
I have also not seen this case mentioned anywhere, so I'm not sure what's the right thing to do.
Regards, /Niels