I wrote:
I am not sure of any attack based on modifying the private key in an
undetectable way... that would generally seem to make invalid
signatures, and inability to decrypt.
Actually, let me revise that: I think one could likely mount an attack
based on ability to modify _parts of_ the private key. eg with RSA
the relation e.d = 1 mod phi(n) would no longer hold and so forth
likely leaking parts of the private key. And there was a long time
ago some discussion and examples of how one could modify the CFB mode
protection that is used for unsigned bulk encryption in PGP (in modes
that do not have a MDC).
Well lets see if the original poster can explain his use-case.
But I think for the above reason it might be interesting in lets say
an example where you were to keep your private keyring on a network
drive (feeling secure in knowledge you have a good passphrase, or even
perhaps a computer generated password that you have written down); the
attack then would be that someone could modify the private keyring
perhaps adaptively and thereby compute the private key.
(Or similar attack private key ring on USB key; but USB key not
physically secured, left where attacker can selectively change bits).
btw for this use-case I think using the MDC mode for encrytping the
private part would be a good step. Might be interesting also to MAC
(with key derived from passphrase) any non-encrypted parts of the
private (and public) keyrings.
Adam