PGP flaw found by Czech firm allows dig sig to be forged

[lcs Mixmaster Remailer]

Ian writes:
> Of course, if someone can modify your private keyring, I'd suspect your
> TCB is toast.  (Unless you're in the habit of shipping your private keyring
> around the Internet.)
>
> For the interested, this is my guess at the attack.
>
> Modify the encrypted value of p, somewhere near the middle.
> When decrypted, depending on the chaining mode, it's possible that
> only a couple of blocks of p will be mangled, and the remainder
> of the private key file will decrypt successfully.  Here's where
> PGP fails to do a MAC to verify integrity of the data.
>
> Then, it behaves just like DFA (Differential Fault Analysis).
> The idea is that to calculate a signature M^d mod n, we calculate
> M^d mod p and M^d mod q, and use the CRT to combine them to S = M^d mod n.
>
> If p is wrong, the result S' will be correct mod q but incorrect mod p.
> so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p.
>
> Therefore GCD(S' ^ e mod n, M) = q, and we're done.

Pretty good!  Actually they modify what PGP calls "u", which is p^(-1)
mod q, but get the same effect.  PGP has a simple bytewise checksum to
protect the data but it is not enough.

Now can you figure out how to do it to DSS keys?  Hint: you change the
public, not secret, data this time.