We find from qntra that Werner Koch has been deliberately subverting the cryptographic strength of his braindamaged implementation of RSA for its entire existence. Finally caught, two decades later, he characteristically is neither willing to admit, nor desist from the practice.
At issue is the offensive habit of "whitening"i, which in this case has covered up at the minimum the loss of 20 bytes for every 580, and maximally the loss of all bytes past the 580th. Certainly worthy of all derision are the rhetorical gymnastics Werner Koch is willing to engage in :
This bug does not affect the default generation of keys because running gpg for key creation creates at most 2 keys from the pool: For a single 4096 bit RSA key 512 byte of random are required and thus for the second key (encryption subkey), 20 bytes could be predicted from the the first key. However, the security of an OpenPGP key depends on the primary key (which was generated first) and thus the 20 predictable bytes should not be a problem. For the default key length of 2048 bit nothing will be predictable.
Translated to human language, the squirmings of the worm read something very much like
This bug does not affect key generation because it affects key generation ; also my boss told me to tell you to use 2048 bit keys and also neener you about how you know, no matter what you do it still doesn't matter. Maybe you end up believing that nonsense, and so don't come with torches and tar to boil both him and me, like we deserve.
This isn't the first time Werner Koch was caught spewing nonsense for his "Equation Group" patrons, either. Back in May 2015 he was one of the main proponents of the (meanwhile discredited) "cosmic rays" explanation for the Phuctor finds ; which he pushed diligently along with the rest of the USG talking points on the topic - including the pretense that the set is small (which it turned out not to be), known in advance (which it turned out not to be), homogenuous in origin (which, similarly, it turned out not to be) and harmless (which it ... turned out not to beii, obviously).
Always remember : a USG stooge is very similar to a syphylitic whore - whatever she may say ; whatever she may do ; the spirochetes are there waiting to infect you.
Update Applying a trivial sanity check (after an original idea by Stan), you get the ultimate beauty of all time : Turns out that the perceived artefacts were a function of log_hexdump vs log_mpidump implementation and not relevant to the discussion.
- Universally and without exception a bad idea - it is the cryptographical equivalent of spraying on perfume instead of taking the bath. Strictly the only end whitening achieves is hiding the poor quality of entropy from the operator, it does absolutely nothing to hide it from the enemy. [↩]
- See item VIII in the Phuctor FAQ. [↩]