> Since the first three bytes of the SSH protocol signature input are different from the ssh-keygen signature input, the SSH client and ssh-keygen will never produce identical signatures. Therefore, there is no risk of cross-protocol attacks
That's not convincing to me. Does anyone have more details on this?
It does not seem right to me that a signing protocol secure for similar things would necessarily be secure against random things; A LFR over a long sequence seems like it could be different than a single feedback over random space, and sometimes that difference could be important.
That's not convincing to me. Does anyone have more details on this?
It does not seem right to me that a signing protocol secure for similar things would necessarily be secure against random things; A LFR over a long sequence seems like it could be different than a single feedback over random space, and sometimes that difference could be important.