Oddbean new post about | logout
ChipTuner | 4 months ago (raw) | root | parent | reply | flag 
 But I still can't know if the decrypted plaintext is correct. That's what I'm saying. The signature tells me nothing about the plaintext
mleku | 4 months ago (raw) | root | parent | reply | flag +1 
 yes, this is correct, you would have to have a sentinel to enable this, the first byte even it could be, or maybe better first 4 bytes to eliminate the chances of decrypting the same by both
mleku | 4 months ago (raw) | root | parent | reply | flag 
 also, yes, you don't need that bit for signature verification, that's one of the neat things about Schnorr signatures

but it does not apply to ECDH
mleku | 4 months ago (raw) | root | parent | reply | flag 
 two points though

one, having to decrypt the whole message and then discover you need to flip the bit is wasteful of computation and time

two, it still doesn't fix the problem of two 3 key users with software imputing 2 keys