On Wed, 2026-07-08 at 16:04 +1000, Viktor Dukhovni wrote:
> The removal of whitening of the `m` random input to Encaps is not a
> plausible backdoor.  If all you have is a broken RNG, you're free to
> apply whitening to obtain a new less bad RNG and use that instead.

I disagree. It is one of the most common and obvious backdoors in
public key cryptography, not only since Snowden.

DSA example:
https://link.springer.com/chapter/10.1007/BFb0052241

ECDSA example:
https://arxiv.org/abs/1501.00447

Also related:
https://datatracker.ietf.org/doc/html/rfc6979

Regards

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to