diff --git a/draft-irtf-cfrg-det-sigs-with-noise.md b/draft-irtf-cfrg-det-sigs-with-noise.md index e8252b0..3ddac75 100644 --- a/draft-irtf-cfrg-det-sigs-with-noise.md +++ b/draft-irtf-cfrg-det-sigs-with-noise.md @@ -482,18 +482,18 @@ For Deterministic ECDSA: In existing ECDSA deployments where side-channel and fa ~~~~~~~~~~~~~~~~~~~~~~~ d. Set: - K = HMAC_K(V || 0x00 || Z0 || 000... || int2octets(x) || 000... + K = HMAC_K(V || 0x00 || Zd || 000... || int2octets(x) || 000... || bits2octets(h1)) where '||' denotes concatenation. In other words, we compute HMAC with key K, over the concatenation of the following, in order: the current value of V, a sequence of eight bits of value - 0, random data Z0 (of the same length as int2octets(x)), a + 0, random data Zd (of the same length as int2octets(x)), a sequence of zero bits 000..., the encoding of the (EC)DSA private key x, a sequence of zero bits 000..., and the hashed message (possibly truncated and extended as specified by the bits2octets transform). The number of zeroes 000... is chosen so that the - length of (V || 0x00 || Z0 || 000...) and (int2octets(x) || + length of (V || 0x00 || Zd || 000...) and (int2octets(x) || 000...) are multiples of the block size of the hash function. The HMAC result is the new value of K. Note that the private key x is in the [1, q-1] range, hence a proper input for int2octets, @@ -503,10 +503,10 @@ d. Set: ~~~~~~~~~~~~~~~~~~~~~~~ f. Set: - K = HMAC_K(V || 0x01 || Z1 || 000... || int2octets(x) || + K = HMAC_K(V || 0x01 || Zf || 000... || int2octets(x) || 000... || bits2octets(h1)) - Note that the "internal octet" is 0x01 this time and that Z1 is + Note that the "internal octet" is 0x01 this time and that Zf is newly generated random data, i.e., not reused from step (d). ~~~~~~~~~~~~~~~~~~~~~~~