**commit** 4050c40c05715ec9d326aeadf5c52fbc89cfc751
**parent** e2a32696c8959fdb36698752f4460a67657a75b2
**Author:** Jared Tobin <jared@jtobin.io>
**Date:** Sat, 26 Aug 2023 18:53:47 -0230
Couple of text patches.
**Diffstat:**

1 file changed, 9 insertions(+), 10 deletions(-)

**diff --git a/docs/s6.md b/docs/s6.md**
@@ -121,11 +121,10 @@ and now the forgery, produced of course without the secret key:
#### 6.43
Parameter generation for DSA as detailed in
-[FIPS.186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#
-page=40) seems to be particularly annoying and unrewarding to implement,
-so I didn't bother with it. The rest of the protocol is pretty standard
-fare; Cryptopals.DSA implements 'keygen', 'sign', and 'verify'
-functionality.
+[FIPS.186-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=40)
+seems to be particularly annoying and unrewarding to implement, so I
+didn't bother with it. The rest of the protocol is pretty standard fare;
+Cryptopals.DSA implements 'keygen', 'sign', and 'verify' functionality.
As for the attack here, if one knows the subkey/nonce he can trivially
recover the private key:
@@ -201,9 +200,8 @@ As an illustration, if badParams contains g = 0, then:
The case is much the same for g = p + 1, since r = 1 for every signature
produced. Any public key generated with these parameters will equal 1,
but the "magic signature" will work for DSA pubkeys generated with other
-'g' parameters, so long as they use g = p + 1 when actually signing and
-verifying. For the magicsig and arbitrary k, and arbitrary pubkey y, we
-have that:
+'g' parameters, so long as they use g = p + 1 when actually verifying.
+For the magicsig and arbitrary k, and arbitrary pubkey y, we have that:
r = y^k mod p (mod q)
@@ -226,7 +224,7 @@ and then for any u, we have:
= y^k mod p (mod q)
= r
-so that every signature will verify by construction.
+so that the signature will verify for every message by construction.
An illustration. First generate a keypair with normal, God-fearing
parameters:
@@ -244,7 +242,7 @@ Here's the magic signature-making function:
in Sig r s
Here's a magic signature, again created with good parameters. It looks
-convincing enough:
+innocuous enough:
> let mag = magicsig defaultParams (pub per)
> mag
@@ -261,4 +259,5 @@ parameters in which g = p + 1:
> unsafeVerify otherBadParams (pub per) "Goodbye, world" mag
True
+Bad group!