From 5ced2a021f44e9227999932038056bae772a2167 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Sat, 22 Sep 2001 21:00:16 +0000
Subject: [PATCH] Add extra explanatory comment about the DSA k generation.

git-svn-id: svn://svn.tartarus.org/sgt/putty@1285 cda61777-01e9-0310-a592-d414129be87e
---
 sshdss.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sshdss.c b/sshdss.c
index b2179a83..48563067 100644
--- a/sshdss.c
+++ b/sshdss.c
@@ -546,9 +546,16 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
      * signing the same hash twice with the same key yields the
      * same signature.
      * 
-     * (It doesn't, _per se_, protect against reuse of k. Reuse of
-     * k is left to chance; all it does is prevent _excessively
-     * high_ chances of reuse of k due to entropy problems.)
+     * Despite this determinism, it's still not predictable to an
+     * attacker, because in order to repeat the SHA-512
+     * construction that created it, the attacker would have to
+     * know the private key value x - and by assumption he doesn't,
+     * because if he knew that he wouldn't be attacking k!
+     *
+     * (This trick doesn't, _per se_, protect against reuse of k.
+     * Reuse of k is left to chance; all it does is prevent
+     * _excessively high_ chances of reuse of k due to entropy
+     * problems.)
      * 
      * Thanks to Colin Plumb for the general idea of using x to
      * ensure k is hard to guess, and to the Cambridge University
-- 
2.11.0