This preview shows page 1. Sign up to view the full content.
Unformatted text preview: the NSA. Take their comments for what you think they’re worth. Attacks against k Each signature requires a new value of k, and that value must be chosen randomly. If Eve ever recovers a k that Alice used to sign a message, perhaps by exploiting some properties of the random-number generator that generated k, she can recover Alice’s private key, x. If Eve ever gets two messages signed using the same k, even if she doesn’t know what it is, she can recover x. And with x, Eve can generate undetectable forgeries of Alice’s signature. In any implementation of the DSA, a good random-number generator is essential to the system’s security . Dangers of a Common Modulus
Even though the DSS does not specify a common modulus to be shared by everyone, different implementations may. For example, the Internal Revenue Service is considering using the DSS for the electronic submission of tax returns. What if they require every taxpayer in the country to use a common p and q? Even though the standard doesn’t require a common modulus, such an implementation accomplishes the same thing. A common modulus too easily becomes a tempting target for cryptanalysis. It is still too early to tell much about different DSS implementations, but there is some cause for concern. Subliminal Channel in DSA
Gus Simmons discovered a subliminal channel in DSA [1468,1469] (see Section 23.3). This subliminal channel allows someone to embed a secret message in his signature that can only be read by another person who knows the key. According to Simmons, it is a “remarkable coincidence” that the “apparently inherent shortcomings of subliminal channels using the ElGamal scheme can all be overcome” in the DSS, and that the DSS “provides the most hospitable setting for subliminal communications discovered to date.” NIST and NSA have not commented on this subliminal channel; no one knows if they even knew about it. Since this subliminal channel allows an unscrupulous implementer of DSS to leak a...
View Full Document
- Fall '10