in systems based on cryptography, is robustness under non-perfect execution more important than security under perfect execution?

I've just encountered this paper that shows a weakness in a certain mixnet design that can lead to full failure (decryption or even private key loss) based on guessing bits of an RSA ciphertext:

That needs a ton of context (e.g. RSA does not have semantic security; this attack is particularly practical), (1/n)


... but it's an illustration of the general feeling one gets from studying RSA application in the real world - see Bleichenbacher - it's *fragile*.

There is a similar story with Schnorr family signatures and nonces - correctly generated nonces are secure; but even *1* bit of bias can result in insecurity (again, practicality aside - so often, the impractical has the rude habit of becoming practical, once something is under wide use).

· · Web · 1 · 0 · 3

edit: "this attack is *not* particularly practical" is what i meant to say in the first message, of course :)

@waxwing some of those kind of attacks are btw *practical* in the physical or sidechannel and timing attack schemes.

Using keys can reveal a lot of Information and in a digital world it is almost not preventable that someone hears the key bits *sound*.
So in my view keys should only be used once and not and never be deterministic derivable from *master* keys, i guess i am alone in that view ... , should i mention that i hate HD wallets, and that i refuse to use them?

@waxwing i wonder how long it will take until the vaccination passport signer keys are revealed by that kind of attacks on the verifying apps.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!