On Wed, 2026-07-08 at 16:04 +1000, Viktor Dukhovni wrote: > The removal of whitening of the `m` random input to Encaps is not a > plausible backdoor. If all you have is a broken RNG, you're free to > apply whitening to obtain a new less bad RNG and use that instead.
I disagree. It is one of the most common and obvious backdoors in public key cryptography, not only since Snowden. DSA example: https://link.springer.com/chapter/10.1007/BFb0052241 ECDSA example: https://arxiv.org/abs/1501.00447 Also related: https://datatracker.ietf.org/doc/html/rfc6979 Regards _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
