IETF Logo Mail Archive

RE: [Cfrg] On using ROs for analyzing randomness extraction functions

"Ilya Mironov" <mironov@microsoft.com> Fri, 28 October 2005 23:38 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVdnk-0002DH-8I; Fri, 28 Oct 2005 19:38:24 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVdni-00022v-G9 for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 19:38:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA26960 for <cfrg@ietf.org>; Fri, 28 Oct 2005 19:38:04 -0400 (EDT)
Received: from mail1.microsoft.com ([131.107.3.125]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVe1M-0000gP-B4 for cfrg@ietf.org; Fri, 28 Oct 2005 19:52:29 -0400
Received: from mailout1.microsoft.com ([157.54.1.117]) by mail1.microsoft.com with Microsoft SMTPSVC(6.0.3790.2499); Fri, 28 Oct 2005 16:38:09 -0700
Received: from RED-MSG-53.redmond.corp.microsoft.com ([157.54.12.13]) by mailout1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Oct 2005 16:38:08 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Cfrg] On using ROs for analyzing randomness extraction functions
Date: Fri, 28 Oct 2005 16:38:07 -0700
Message-ID: <57C42FE699E1094BAC3C8679E61650E705E10293@RED-MSG-53.redmond.corp.microsoft.com>
Thread-Topic: [Cfrg] On using ROs for analyzing randomness extraction functions
Thread-Index: AcXcBl0Y6apcN2VkSqW30U9TJ2QRHAAEaenw
From: Ilya Mironov <mironov@microsoft.com>
To: cfrg@ietf.org
X-OriginalArrivalTime: 28 Oct 2005 23:38:08.0976 (UTC) FILETIME=[A70ADD00:01C5DC18]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Content-Transfer-Encoding: quoted-printable
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

> > to prove.  We wouldn't say that the "hash-then-sign" task is
impossible
> in
> > reality, even though it is true that there do exist
(contrived-looking)
> > trapdoor permutations that interact with SHA256 badly enough to make
> > "hash-then-sign" insecure with those trapdoor permutations.
> 
> Could you provide a reference to or sketch of what such a function
might
> look
> like? I gave it a bit of thought and couldn't see any way of creating
a
> trapdoor such as you describe, so now I'm curious.

For the record, a (full domain)hash-and-sign signature based on a
trapdoor permutation cannot be proved secure in the standard model by a
blackbox reduction, as showed recently by Yevgeniy Dodis, Roberto
Oliveira and Krzystof Pietrzak in "On the Generic Insecurity of the Full
Domain Hash" (Crypto'05).

--Ilya

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email