Hi! On Fri, 6 Dec 2024 19:42, Jacob Bachmeyer said:
> Does GPG already do this? If not, can this message count as a feature > request for secure nonces in signatures? Even 64 bits should be The suggestion with hashing a nonce is to mitigate a specific way to create collisions. OTOH, an arbitrary random nonce allows to change the data in an undetectable way - maybe even to create such a collision. Even worse, a random nonce adds a covert channel to a signed message. This needs to be avoided in sensitive areas where encryption is not allowed for exactly that reason. In particular that new IETF OpenPGP specification introduced a mandatory random salt, despite the counter arguments that if this will be added the salt must not be random but be derive from other information. Some people obviously want to have this covert channel in signatures. A nonce, actually salt, can be introduced in a compatible way with signature subpackets and maybe extra rules to place that salt as the first subpacket. Of course the salt needs to be computed from other info. Anyway, there are no signs that SHA-256 can be attacked in a similar way as SHA-1. The SHA3 development process clearly showed that SHA256, SHA384, SHA512 are safe choices. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
