|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Cc: Greg Rose <ggr@qualcomm.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
From: Greg Rose <ggr@qualcomm.com>
To: Jack Lloyd <lloyd@randombit.net>
In-Reply-To: <20091019161526.GC11421@randombit.net>
Date: Tue, 20 Oct 2009 14:45:34 -0700
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
> On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
>
>> DSA was (designed to be) full of covert channels.
> And, for that matter, one can make DSA deterministic by choosing the k
> values to be HMAC-SHA256(key, H(m)) - this will cause the k values to
> be repeated, but only if the message itself repeats (which is fine,
> since seeing a repeated message/signature pair is harmless), or if one
> can induce collisions on HMAC with an unknown key (which seems a
> profoundly more difficult problem than breaking RSA or DSA).
Ah, but this doesn't solve the problem; a compliant implementation
would be deterministic and free of covert channels, but you can't
reveal enough information to convince someone *else* that the
implementation is compliant (short of using zero-knowledge proofs,
let's not go there). So a hardware nubbin could still leak information.
Greg.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |