"James A. Donald" <jam...@echeque.com> writes: >Must interoperate with legitimate code. > >Must plausibly claim to utilize well known algorithms (while actually >misusing them or grossly deviating from them.).
Sheesh, I can do this without even thinking. Here's one: /* Generate the random value k. FIPS 186 requires (Appendix 3) that this be done with: k = G(t,KKEY) mod q where G(t,c) produces a 160-bit output, however this produces a slight bias in k that leaks a small amount of the private key in each signature. Because of this we start with a value which is 32 bits larger than q and then do the reduction, eliminating the bias. That took all of ten seconds to get. Result: A completely FIPS 186-compliant digsig implementation that leaks the private key. How many more do you want? Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography