6 Oct
2016
6 Oct
'16
3:11 a.m.
On Tue, 2016-10-04 at 08:15 +0000, Alex Davidson wrote:
Regarding the possibility of a malicious edge using a small modulus n.
It's not a small modulus n, but n = p q r_1 .. r_n where p and q are still largish, and r_i are smallish, maybe 10 bits.
Given that there will only be one public signing key available at any time and since this will be publicly available
We do not know how this might evolve.
If you want to save one GCD computation, then you can look into the inversion mod n operation that one already runs on the blinding factor to understand exactly how it fails if the blinding factor and n have a common divisor.
Afaik one cannot avoid computing the GCD of the FDH and n though.
Jeff