Adding a nounce before hashing as covert channel
andrewg
andrewg at andrewg.com
Fri Dec 13 13:43:53 CET 2024
On 2024-12-13 01:16, Jacob Bachmeyer via Gnupg-devel wrote:
> On 12/12/24 05:15, Werner Koch wrote:
>>
>> But we don't know in which way they become weak. You can't exclude
>> that
>> a new weakness is leveraged by the extra random salt [1]
>
> So that would make adding salted signatures neutral: they protect
> against one class of unknown attacks but could also enable another
> class of unknown attacks.
I don't see how adding a salt enables a new class of attacks. The salt
is hashed as if it were part of the message; if it was possible to
create a collision in a salted signature by manipulating the salt, it
would equally be possible to create a collision in an unsalted signature
by manipulating the first N bits of the message. But while the message
may be attacker-controlled, the salt is not. So even if an attacker
could generate a collision more easily using the salt, they would still
need to make O(2^N) attempts before the victim happened by chance to
generate a matching signature.
A
More information about the Gnupg-devel
mailing list