On 12/30/2010 05:41 AM, Peter Gutmann wrote:
Francois Grieu<fgr...@gmail.com> writes:
According to a presentation made at the 27th Chaos Communication Congress,
there is a serious bug in the code that was used to produce ECDSA signatures
for the PS3:
Haha, I just got a PS3 the other day. This is in large part a
coincidence. But not entirely, since I intentionally avoid or delay the
purchase of "closed" boxes, particularly from companies that have a
history of installing rootkits.
the same secret random was reused in several signatures, which
allowed the team to recover the private key from signatures.
[...] I've always regarded DLP
algorithms (all DLP algorithms, including the ECDLP ones) as far riskier than
RSA because there are so many things you can get wrong, many of them outside
your direct control, while with RSA as long as you check your padding properly
you're pretty much done.
[...]
- Most of them used crypto, and AFAICT in none of them was the crypto directly
broken (Shamir's Law, crypto is bypassed not attacked).
Wouldn't you have to consider this a "crypto break" then? At least to
the extent you regard EC as "risky crypto"?
The math is one thing, but perhaps we can't consider it 100% separate
from the practicalities of the implementation.
The relevant part of the presentation starts at 5'15" in
http://www.youtube.com/watch?v=84WI-jSgNMQ
Oooo I'd just noticed the PS3 has an option for watching youtube. :-)
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
