On Thu, Aug 13, 2015 at 6:42 PM, Simon Josefsson <[email protected]> wrote:
> > The caveat I gave was that protocol designers shouldn't assume those > > sharp edges aren't present. I think you'll find most digital > > signature algorithms break under the assumption that two keys can't > > produce the same digital signature. > > Exactly -- there is no cryptographic requirement on a public-key > signature system that the above property holds. Protocol designers > using crypto primitives should only require the properties that are > actually promised. Further, before using any non-standard property, > you should demand that there is a security proof reducing that property > into a common computational problem that people believe is difficult to > solve. Yep, I certainly don't advise anyone relying on the signature scheme not resisting this sort of thing. If has to be belt and braces.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
