On Thu 2019-10-17 12:13:20 +0200, Michael Richardson wrote:
That's a good point; however sometimes perfect is the enemy of good enough,
and that has been the case for encrypted email for a long time.
A recoverable key would be an option, not a requirement.
yep, that's why i'm trying to help think this through, even though i'm
not particularly excited about it. :)
{An interesting (mathematical, density of primes) question would be whether
one would be able to determine from looking at the public key whether it was
recoverable or not. That is, can one recognize some pattern in the expanded
DRBG. It might still be statistically secure, yet since the amount of entropy
in the key is less than the entropy in the input, it might leave a pattern}
Can you give an example of this? I haven't tried to prove this, but i
think if the generated public key (whether a curve25519 point or an RSA
modulus) is distinguishable from other public keys, there is a strong
argument to be made that either the DRBG or the secret key derivation
mechanism is deeply flawed.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp