Problems with private keyring?

Taral taral at taral.net
Fri Mar 23 18:15:08 CET 2001


On Fri, Mar 23, 2001 at 01:45:36AM +0100, Florian Weimer wrote:
> Taral <taral at taral.net> writes:
> 
> > On Fri, Mar 23, 2001 at 12:38:53AM +0100, Florian Weimer wrote:
> > > As an added bonus, it protects against signature computation errors
> > > (due to overclocking or bugs in the MPI implementation), which
> > > was first proposed in this context by Lutz Donnerhacke. GnuPG
> > > calculates the signature in Z/pZ x Z/qZ instead of Z/nZ (which would
> > > be slower).  If the computation in one component of the direct sum
> > > fails, the difference to the correct result is likely a multiple of
> > > p or q. (AFAIK, this is called a 'Bellcore attack' in German hacker
> > > circles.)
> > 
> > Maybe we should do our calculations in Z/nZ by default, providing an
> > '--enable-fast-signatures' option for those who aren't (as) concerned...
> 
> The verification already takes place in Z/nZ, so we can have the best
> of both worlds.

Yes, but the problem is that if signature generation takes place in Z/pZ
x Z/qZ and an error occurs during the process, it is possible to
accidentally expose the private key material. Doing (m^e mod n) directly
with modular exponentiation is more secure in this respect.

-- 
Taral <taral at taral.net>
Please use PGP/GPG to send me mail.
"Never ascribe to malice what can as easily be put down to stupidity."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 248 bytes
Desc: not available
Url : /pipermail/attachments/20010323/4581b8f6/attachment.bin


More information about the Gnupg-devel mailing list