You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which one is the correct amount of entropy? The code seems suspicious by limiting the entropy and hence security level to 256 bits maximum even if a curve with larger potential is used, but it could be motivated by the hash used, SHA512 chopped to 256 bits, which does already impose a limit to the maximum security level.
Is the comment correct? Since I don't understand the division by two (q is the size of the underlying field in bits and hence the amount of entropy I would expect to want to use), I cannot answer this question and hence cannot propose a fix such as simply changing the code to match the comment or vice versa.
It is possible that the motivating idea is that the security level is half the size of the curve's underlying field in bits, and that no more entropy than that makes sense. If correct, then the code makes sense and the comment should be changed to reflect what the code does.
The text was updated successfully, but these errors were encountered:
This is a minimal fix of consistency only, by changing the comment to reflect what the code already does. I did not check the choice of using only half the curve's field size (in bits) of entropy.
What did you expect to see?
A match between comments and code in https://github.com/golang/go/blob/master/src/crypto/ecdsa/ecdsa.go#L152.
What did you see instead?
https://github.com/golang/go/blob/master/src/crypto/ecdsa/ecdsa.go#L152: "// Get max(log2(q) / 2, 256) bits of entropy from rand."
https://github.com/golang/go/blob/master/src/crypto/ecdsa/ecdsa.go#L154 proceeds to calculate an entropylen of approximately the number of bytes in min(log2(q) / 2, 256), which differs from the comment describing the intention by selecting the minimum, not the maximum.
Which one is the correct amount of entropy? The code seems suspicious by limiting the entropy and hence security level to 256 bits maximum even if a curve with larger potential is used, but it could be motivated by the hash used, SHA512 chopped to 256 bits, which does already impose a limit to the maximum security level.
Is the comment correct? Since I don't understand the division by two (q is the size of the underlying field in bits and hence the amount of entropy I would expect to want to use), I cannot answer this question and hence cannot propose a fix such as simply changing the code to match the comment or vice versa.
It is possible that the motivating idea is that the security level is half the size of the curve's underlying field in bits, and that no more entropy than that makes sense. If correct, then the code makes sense and the comment should be changed to reflect what the code does.
The text was updated successfully, but these errors were encountered: