Am 27.04.2015 um 00:07 schrieb Jeffrey Walton: > Hi JPM, > > > The patched version of rw.cpp is attached. > > It contains the patch proposed by the authors of the paper. > > Can you provide a DIFF of you changes? > > Jeff
Attached. (I hope I did it right) BR JPM > > On Friday, April 24, 2015 at 12:29:38 PM UTC-4, jean-pierre.muench wrote: > > Hey everyone, > > The patched version of rw.cpp is attached. > It contains the patch proposed by the authors of the paper. > A patch to CryptoJPM should go live within the next 24 hours. > > We should offer the corrected file at least in the wiki at least > at the rabin-williams page (there's no such page yet) or maybe at > the main page. > We could also note on the main page that there's an security issue > with rabin-williams and one should patch the file with the > provided one. > > Concerning the how could the bug be in there: > Someone tried to protect Rabin-Williams against timing attacks by > blinding the signed value. This defense works. > However as the blinding factor seems not to be chosen carefully > enough it looks like x^2=y^2 (mod n), with x and y being > signatures on a message and n being the modulus always holds and > in some bad cases if some properties of the blinding factor comes > into the mix one can factor n using GCD(n,y-x). > > I'm not sure if this explication makes sense, but read the paper > <https://eprint.iacr.org/2015/368.pdf> for the full details. > > > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
--- rw.cpp 2015-04-27 10:34:08.115270500 +0200
+++ rw.cpp 2010-08-06 17:44:30.000000000 +0200
@@ -129,7 +129,7 @@
do { // do this in a loop for people using small numbers for testing
r.Randomize(rng, Integer::One(), m_n - Integer::One());
rInv = modn.MultiplicativeInverse(r);
- } while (rInv.IsZero());
+ } while (rInv.IsZero() || (Jacobi(r % m_p,m_p)==-1) || (Jacobi(r %
m_q,m_q)==-1));
Integer re = modn.Square(r);
re = modn.Multiply(re, x); // blind
smime.p7s
Description: S/MIME Cryptographic Signature
