James A. Donald wrote:
James Muir wrote:
 > Can anyone think of a deployed implementation of RSA
 > signatures that would be vulnerable to the attack
 > Shamir mentions?  Hashing and message blinding would
 > seem to thwart it.

As I said, public key encryption has long been known to
be weak against chosen plaintext and chosen cryptotext -
so protocols have long been designed to prevent this
sort of attack.  If they are not so designed, they were
known to be weak before this attack was discovered.

I completely agree with you.  Good public key cryptography should be
designed to resist chosen message attacks.  This has been a standard
part of cryptographic theory since the 80s.  But this is an
implementation attack, and real world implementations don't necessarily
follow all the rules of cryptographic theory.

If you or anyone else happened to know of a single real-world
implementation of RSA signatures that is vulnerable to this fault
attack, then that might give some justification for the incredible media
coverage it has received.  I can't think of any, and my feeling is that
this announcement has been over-hyped (and presented without proper
perspective).

-James


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to