In principle, the malevolent crypto accellerator could flip into weak mode (however that happens) only upon receiving a message for decryption with some specific value or property. That would defeat any testing other than constant observation. This is more or less the attack that keeps parallel testing of electronic voting machines from being a good answer to the security concerns about them.
--John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
