Problems with private keyring?

[Taral]

--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 23, 2001 at 01:45:36AM +0100, Florian Weimer wrote:
> Taral <taral@taral.net> writes:
>=20
> > On Fri, Mar 23, 2001 at 12:38:53AM +0100, Florian Weimer wrote:
> > > As an added bonus, it protects against signature computation errors
> > > (due to overclocking or bugs in the MPI implementation), which
> > > was first proposed in this context by Lutz Donnerhacke. GnuPG
> > > calculates the signature in Z/pZ x Z/qZ instead of Z/nZ (which would
> > > be slower).  If the computation in one component of the direct sum
> > > fails, the difference to the correct result is likely a multiple of
> > > p or q. (AFAIK, this is called a 'Bellcore attack' in German hacker
> > > circles.)
> >=20
> > Maybe we should do our calculations in Z/nZ by default, providing an
> > '--enable-fast-signatures' option for those who aren't (as) concerned...
>=20
> The verification already takes place in Z/nZ, so we can have the best
> of both worlds.

Yes, but the problem is that if signature generation takes place in Z/pZ
x Z/qZ and an error occurs during the process, it is possible to
accidentally expose the private key material. Doing (m^e mod n) directly
with modular exponentiation is more secure in this respect.

--=20
Taral <taral@taral.net>
Please use PGP/GPG to send me mail.
"Never ascribe to malice what can as easily be put down to stupidity."

--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjq7hFUACgkQ7rh4CE+nYEl8dgCfct+uLqQPikSaYJI500kl3hd8
5BoAoI72Bng1+AoLvnYBdccFQQG1BMpJ
=Cibf
-----END PGP SIGNATURE-----

--YiEDa0DAkWCtVeE4--