Schneier mentions whooping values (whoops? I don't know the precise term) in doing modular arithmetic. I was wondering what people thought of this.
Basically if you've got a huge finite field, and do arithmetic on it, the whoop values are the residues in a much smaller field that is unknown to the end-user (attacker). Basically you use arithmetic relations on the whoops to double-check the larger bignum values you're using. He says no mpi/modular arithmetic libraries that he knows of use this technique, but it sounds intriguing. The idea is that if an attacker exploits a bug in the modexp routines or what have you, you catch it by checking the whoops, instead of having a silent failure. Exactly what you would do in that case, I'm not sure... he suggests terminating silently, but that too is kind of a sign to the attacker. Perhaps you could continue the computations with totally random inputs... but this sounds wrong to me too. I am reminded of some very evil advice I heard from a security guy, who said if you can't respond in a reasonable amount of time that you might want to tell the user that they had entered an invalid password or something to that effect, so that the percieved performance problem is minimized. Lie to the users? Remind me to not use that guy's software. I'll take correct over fast any day. -- http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1) "My love for mathematics is like 1/x as x approaches 0." GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]