On 28/11/14 11:41, NdK wrote:
>> Oh, I agree, I already thought that might close any 'r'-swapping security
>> issues, if there would be any; just like you can include the hash
>> algorithm in the signature to prevent swapping it out for a weaker one. But
>> when
>> swapping 'r''s does not actually
On Thursday 27 November 2014 17:10:08 NdK wrote:
> Il 27/11/2014 11:28, Peter Lebbing ha scritto:
>
> [Resending to list]
>
> > Perhaps I should add that it takes real research and formal proof to show
> > that this randomized hashing doesn't add attack vectors, and I have been
> > glossing over
Il 27/11/2014 14:45, Peter Lebbing ha scritto:
On 27/11/14 13:04, NdK wrote:
(note that r is not signed, as the rhash scheme suggests and the paper
confirms!)
"In contrast to a previous proposal by the same authors, the salt r does not
need to be included under the signature."
I read this
Il 27/11/2014 11:28, Peter Lebbing ha scritto:
[Resending to list]
> Perhaps I should add that it takes real research and formal proof to show that
> this randomized hashing doesn't add attack vectors, and I have been glossing
> over that. But that is because at a glance it looks like such resear
On 27/11/14 13:04, NdK wrote:
> (note that r is not signed, as the rhash scheme suggests and the paper
> confirms!)
> "In contrast to a previous proposal by the same authors, the salt r does not
> need to be included under the signature."
I read this quite differently. I read it as that 'r' is
