> The caveat I gave was that protocol designers shouldn't assume those > sharp edges aren't present. I think you'll find most digital > signature algorithms break under the assumption that two keys can't > produce the same digital signature.
Exactly -- there is no cryptographic requirement on a public-key signature system that the above property holds. Protocol designers using crypto primitives should only require the properties that are actually promised. Further, before using any non-standard property, you should demand that there is a security proof reducing that property into a common computational problem that people believe is difficult to solve. /Simon
pgpGS81oM9p6z.pgp
Description: OpenPGP digital signatur
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
