On 2024-12-13 01:16, Jacob Bachmeyer via Gnupg-devel wrote:
On 12/12/24 05:15, Werner Koch wrote:
But we don't know in which way they become weak. You can't exclude
that
a new weakness is leveraged by the extra random salt [1]
So that would make adding salted signatures neutral: they protect
against one class of unknown attacks but could also enable another
class of unknown attacks.
I don't see how adding a salt enables a new class of attacks. The salt
is hashed as if it were part of the message; if it was possible to
create a collision in a salted signature by manipulating the salt, it
would equally be possible to create a collision in an unsalted signature
by manipulating the first N bits of the message. But while the message
may be attacker-controlled, the salt is not. So even if an attacker
could generate a collision more easily using the salt, they would still
need to make O(2^N) attempts before the victim happened by chance to
generate a matching signature.
A
_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
