"James A. Donald" <jam...@echeque.com> writes:
>Must interoperate with legitimate code.
>
>Must plausibly claim to utilize well known algorithms (while actually
>misusing them or grossly deviating from them.).
Sheesh, I can do this without even thinking. Here's one:
/* Generate the random value k. FIPS 186 requires (Appendix 3) that this be
done with:
k = G(t,KKEY) mod q
where G(t,c) produces a 160-bit output, however this produces a slight bias
in k that leaks a small amount of the private key in each signature.
Because of this we start with a value which is 32 bits larger than q and
then do the reduction, eliminating the bias.
That took all of ten seconds to get. Result: A completely FIPS 186-compliant
digsig implementation that leaks the private key.
How many more do you want?
Peter.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
