From: dreschs@austnsc.tandem.com (Sten Drescher)
On Firewalls, "Jonathan M. Bresler" <jmb@FreeBSD.ORG> said: JMB> After JMB> several large key signing parties hundreds of known ciphertexts JMB> could have been generated using Alice's key--each one a public key JMB> of someone else. over several years it piles up. the known JMB> ciphertexts can be tested/analyzed to yield Alice's secret key. JMB> ouch. ;/
Are you sure about this? It would seem that the same principle would then apply to signed messages as well, and I find it a bit hard to believe that signing messages would make ones key pair vulnerable.
As Kocher's paper implies, the known ciphertext attack is a TIMING attack. Simply accumulating known text/signature pairs as you would have after a "key signing party" does not help. You must know exactly how much time each signature took. Hal