Hi JPM, > The patched version of rw.cpp is attached. > It contains the patch proposed by the authors of the paper.
Can you provide a DIFF of you changes? Jeff On Friday, April 24, 2015 at 12:29:38 PM UTC-4, jean-pierre.muench wrote: > > Hey everyone, > > The patched version of rw.cpp is attached. > It contains the patch proposed by the authors of the paper. > A patch to CryptoJPM should go live within the next 24 hours. > > We should offer the corrected file at least in the wiki at least at the > rabin-williams page (there's no such page yet) or maybe at the main page. > We could also note on the main page that there's an security issue with > rabin-williams and one should patch the file with the provided one. > > Concerning the how could the bug be in there: > Someone tried to protect Rabin-Williams against timing attacks by blinding > the signed value. This defense works. > However as the blinding factor seems not to be chosen carefully enough it > looks like x^2=y^2 (mod n), with x and y being signatures on a message and > n being the modulus always holds and in some bad cases if some properties > of the blinding factor comes into the mix one can factor n using GCD(n,y-x). > > I'm not sure if this explication makes sense, but read the paper > <https://eprint.iacr.org/2015/368.pdf> for the full details. > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
