If we generate a k such that s or r is 0, don't fail, simply retry

with a new k.
author: lloyd <[email protected]> 2010-09-26 17:08:02 +0000
committer: lloyd <[email protected]> 2010-09-26 17:08:02 +0000
commit: c820501357ac3acc81ddb8fad9fd9fd5fee9b32f (patch)
tree: 3875bfc6611db18261ec96a5c71a836a265166bd /src
parent: 6e71a3c9eeb838a79d82b19137f1c11b0e58c974 (diff)
1 files changed, 13 insertions, 11 deletions
diff --git a/src/pubkey/ecdsa/ecdsa.cpp b/src/pubkey/ecdsa/ecdsa.cpp
index 88ef8a38a..2522fa9f3 100644
--- a/src/pubkey/ecdsa/ecdsa.cpp
+++ b/src/pubkey/ecdsa/ecdsa.cpp
@@ -38,21 +38,23 @@ ECDSA_Signature_Operation::sign(const byte msg[], u32bit msg_len,
    {
    rng.add_entropy(msg, msg_len);
 
-   BigInt k;
-   k.randomize(rng, order.bits());
-
-   while(k >= order)
-      k.randomize(rng, order.bits() - 1);
-
    BigInt m(msg, msg_len);
 
-   PointGFp k_times_P = base_point * k;
-   BigInt r = mod_order.reduce(k_times_P.get_affine_x());
+   BigInt r = 0, s = 0;
+
+   while(r == 0 || s == 0)
+      {
+      // This contortion is necessary for the tests
+      BigInt k;
+      k.randomize(rng, order.bits());
 
-   if(r == 0)
-      throw Internal_Error("ECDSA_Signature_Operation: r was zero");
+      while(k >= order)
+         k.randomize(rng, order.bits() - 1);
 
-   BigInt s = mod_order.multiply(inverse_mod(k, order), mul_add(x, r, m));
+      PointGFp k_times_P = base_point * k;
+      r = mod_order.reduce(k_times_P.get_affine_x());
+      s = mod_order.multiply(inverse_mod(k, order), mul_add(x, r, m));
+      }
 
    SecureVector<byte> output(2*order.bytes());
    r.binary_encode(&output[output.size() / 2 - r.bytes()]);
author	lloyd <[email protected]>	2010-09-26 17:08:02 +0000
committer	lloyd <[email protected]>	2010-09-26 17:08:02 +0000
commit	c820501357ac3acc81ddb8fad9fd9fd5fee9b32f (patch)
tree	3875bfc6611db18261ec96a5c71a836a265166bd /src
parent	6e71a3c9eeb838a79d82b19137f1c11b0e58c974 (diff)