7 May
2016
7 May
'16
9:46 p.m.
On Sat, 2016-05-07 at 13:14 -0700, Watson Ladd wrote:
I'm not sure I understand the concern here. An attacker sees that we got unlucky: that doesn't help them with recovering SEED under mild assumptions we need anyway about SHAKE indistinguishability.
We're assuming the adversary controls a node in your circuit and hence sees your seed later. You get unlucky like over 400 times, so, if they can record enough of the failure pattern, then their node can recognize you from your seed.
Jeff