On 10 Dec 2024, at 08:48, Bernhard Reiter via Gnupg-devel <gnupg-devel@gnupg.org> wrote: > > Am Samstag 07 Dezember 2024 15:35:09 schrieb Andrew Gallagher via Gnupg-devel: >> there are already countless places in the wire format that an adversary >> could use for a covert channel, > > It still may not be wise to add another place. > There can be unwanted side effects of adding a nonce > (is what I understand from the example).
There might be, however since the nonce is signed over as if it were the first N bits of the document, manipulating the nonce of a salted signature would be equivalent to manipulating the first N bits of a document signed by an unsalted signature. Collision attacks generally require manipulation of many more bits than is provided by a V6 signature salt, which is half the bit length of the digest algorithm. And remember that the nonce is not attacker-controlled, unlike the document. Even if there were an additional vulnerability introduced, the attacker would have a 1 in O(2^N) chance of successfully exploiting it. > Not saying that this is done deliberately. Of course you aren't. I do wish we could have a reasonable discussion without other people resorting to veiled allegations and FUD. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
