Problems with private keyring?

Florian Weimer fw at
Fri Mar 23 11:14:03 CET 2001

Taral <taral at> writes:

> On Fri, Mar 23, 2001 at 12:38:53AM +0100, Florian Weimer wrote:
> > As an added bonus, it protects against signature computation errors
> > (due to overclocking or bugs in the MPI implementation), which
> > was first proposed in this context by Lutz Donnerhacke. GnuPG
> > calculates the signature in Z/pZ x Z/qZ instead of Z/nZ (which would
> > be slower).  If the computation in one component of the direct sum
> > fails, the difference to the correct result is likely a multiple of
> > p or q. (AFAIK, this is called a 'Bellcore attack' in German hacker
> > circles.)
> Maybe we should do our calculations in Z/nZ by default, providing an
> '--enable-fast-signatures' option for those who aren't (as) concerned...

The verification already takes place in Z/nZ, so we can have the best
of both worlds.

More information about the Gnupg-devel mailing list