X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/5c72ca6161da0e7976245222c412d62ebae2e386..f2003e3230fa6f3a1cc5d60256d1a19c8b0022d5:/sshdss.c?ds=sidebyside

diff --git a/sshdss.c b/sshdss.c
index b2179a83..65844a9b 100644
--- a/sshdss.c
+++ b/sshdss.c
@@ -19,7 +19,6 @@
 
 static void sha_mpint(SHA_State * s, Bignum b)
 {
-    unsigned char *p;
     unsigned char lenbuf[4];
     int len;
     len = (bignum_bitcount(b) + 8) / 8;
@@ -34,7 +33,6 @@ static void sha_mpint(SHA_State * s, Bignum b)
 
 static void sha512_mpint(SHA512_State * s, Bignum b)
 {
-    unsigned char *p;
     unsigned char lenbuf[4];
     int len;
     len = (bignum_bitcount(b) + 8) / 8;
@@ -546,9 +544,16 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
      * signing the same hash twice with the same key yields the
      * same signature.
      * 
-     * (It doesn't, _per se_, protect against reuse of k. Reuse of
-     * k is left to chance; all it does is prevent _excessively
-     * high_ chances of reuse of k due to entropy problems.)
+     * Despite this determinism, it's still not predictable to an
+     * attacker, because in order to repeat the SHA-512
+     * construction that created it, the attacker would have to
+     * know the private key value x - and by assumption he doesn't,
+     * because if he knew that he wouldn't be attacking k!
+     *
+     * (This trick doesn't, _per se_, protect against reuse of k.
+     * Reuse of k is left to chance; all it does is prevent
+     * _excessively high_ chances of reuse of k due to entropy
+     * problems.)
      * 
      * Thanks to Colin Plumb for the general idea of using x to
      * ensure k is hard to guess, and to the Cambridge University