[sent this from the wrong address, sorry if it is a duplicate] David-Sarah Hopwood wrote: > Re: >> [http://allmydata.org/trac/pycryptopp/ticket/13 pycryptopp#13] > > Oh, right, this is basically the idea I was asked about at the hacker > party in June 2008 (the one where the whiteboard fell on Meredith). > > Shawn Willden wrote: > # The issue I referred to has to do not with the generation of y, but of > # the multiplication of x by y (mod q), and the subsequent use of xy as > # the signing key. The problem is that the distribution of xy mod q > # values is not uniform. > > Both DSA and ECDSA work in a prime subgroup, i.e. g generates a > subgroup of prime order q.
Correction: for ECDSA there are two options -- q is prime, or q = 2^m. I would recommend using only the former with this semi-private key idea (there may or may not be an attack against the latter, but it is more difficult to analyse). -- David-Sarah Hopwood ⚥ _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
