SECURITY OF THE RSA IMPLEMENTATION
==================================

1)  Public-key size: By default a public-key generated by this implementation
    is likely to be significantly larger than 1024 bits in size.
    This is currently considered to provide long-term security.

2)  Small encryption exponent and sending the same message to more than one
    entity: This attack has been countered by salting the plaintext message
    prior to encryption.

3)  Forward search attack: This attack has been countered by salting the
    message.

4)  Small decryption exponent: The implementation ensures that the decryption
    exponent is sufficiently large, as required for security.

5)  Multiplicative properties: The digital signature system rejects fraudulent
    messages. Also, the implementation imposes structural constraints on
    plaintext messages and rejects decrypted ciphertexts which do not possess
    this structure.

6)  Common modulus attack: Not applicable.

7)  Cycling attacks: Does not pose a threat since they are essentially the
    same as factoring which is currently considered to be intractable.

8)  Message concealing: Does not pose a threat because the encryption
    exponent has been hard-wired to 65537 and because the implementation
    guarantees there are no unconcealed messages.

9)  Selecting primes p and q: The implementation selects p and q to be
    large, distinct and very roughly the same size, as required for security.

10) The encryption exponent has been hard-wired at 65537 which is
    a particularly good choice for security reasons.

11) Coppersmith's two attacks on RSA with small encryption exponents have
    been countered by breaking up the message to be encrypted into random
    sized chunks. Additionally, with respect to his second attack on padded
    ciphertexts, it is likely that the padding is larger than 1/9 of the
    length of n.

And most importantly:

12) The implementation only uses pure RSA salted encryption/decryption.
    Security risks from symmetric ciphers are thus eliminated.

13) The digital signature generated by the RSA digital signature scheme with
    appendix is encrypted using pure RSA salted encryption/decryption.
    Security risks associated with digital signatures are thus eliminated.


References:

"Handbook of Applied Cryptography"
		by A. Menezes, P. van Oorschot and S. Vanstone.


SECURITY OF THE LEOPARD14 IMPLEMENTATION
========================================

1)  The ARC4 algorithm is considered secure.

2)  Leopard14 is based on the ARC4 algorithm.

3)  Leopard14 passes rigorous numerical testing (including DIEHARD test-suite).
    Its security should be much higher than ARC4.

4)  The use of Leopard14 to encrypt the private-key should be completely
    secure, since a Cipher-Packet technique is used in conjunction with it.


References:

http://www.wizardsworks.org/~robin/leopard.html
		by Robin Carey
