1 comment

[ 4.7 ms ] story [ 12.7 ms ] thread
If the attacker can control the microcode of the CPU (RDRAND example) then couldn't she just modify the whole key generation routine anyway? I'm not saying that DJB's concerns are wrong. But to me it seems that the worst case example would mean a total compromise.

(I like the name of the IETF's randomness mailinglist dsfjdssdfsd https://www.ietf.org/mailman/listinfo/dsfjdssdfsd)

edit: I think I understand. The attack DJB proposes would be almost impossible to detect unlike changing results completely. Although the latter is probably undetectable in practice IMO.