On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
DSA was (designed to be) full of covert channels.
And, for that matter, one can make DSA deterministic by choosing the k
values to be HMAC-SHA256(key, H(m)) - this will cause the k values to
be repeated, but only if the message itself repeats (which is fine,
since seeing a repeated message/signature pair is harmless), or if one
can induce collisions on HMAC with an unknown key (which seems a
profoundly more difficult problem than breaking RSA or DSA).
Ah, but this doesn't solve the problem; a compliant implementation
would be deterministic and free of covert channels, but you can't
reveal enough information to convince someone *else* that the
implementation is compliant (short of using zero-knowledge proofs,
let's not go there). So a hardware nubbin could still leak information.
Greg.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
