[tahoe-dev] Uniformity of 'semi-private' keys [correction]

David-Sarah Hopwood david-sarah at jacaranda.org
Tue May 19 19:14:36 PDT 2009


[sent this from the wrong address, sorry if it is a duplicate]

David-Sarah Hopwood wrote:
> Re:
>> [http://allmydata.org/trac/pycryptopp/ticket/13 pycryptopp#13]
> 
> Oh, right, this is basically the idea I was asked about at the hacker
> party in June 2008 (the one where the whiteboard fell on Meredith).
> 
> Shawn Willden wrote:
> # The issue I referred to has to do not with the generation of y, but of
> # the multiplication of x by y (mod q), and the subsequent use of xy as
> # the signing key. The problem is that the distribution of xy mod q
> # values is not uniform.
> 
> Both DSA and ECDSA work in a prime subgroup, i.e. g generates a
> subgroup of prime order q.

Correction: for ECDSA there are two options -- q is prime, or
q = 2^m. I would recommend using only the former with this
semi-private key idea (there may or may not be an attack against
the latter, but it is more difficult to analyse).

-- 
David-Sarah Hopwood ⚥



More information about the tahoe-dev mailing list