[Cfrg] New Randomized Hashing Draft
"Hugo Krawczyk" <hugo@ee.technion.ac.il> Thu, 25 October 2007 21:39 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IlAQj-0007F4-8d; Thu, 25 Oct 2007 17:39:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IlAQi-0007Ey-86 for cfrg@ietf.org; Thu, 25 Oct 2007 17:39:52 -0400
Received: from fk-out-0910.google.com ([209.85.128.185]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IlAQc-0006hx-18 for cfrg@ietf.org; Thu, 25 Oct 2007 17:39:52 -0400
Received: by fk-out-0910.google.com with SMTP id z23so596072fkz for <cfrg@ietf.org>; Thu, 25 Oct 2007 14:38:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; bh=AxhUK7b4nRA5/o2P9Ajg3BWBSJjUbqzA0BNMu2yIUMw=; b=KvofKEF4i3GhWhjPmvAuoKCenEkv3J4qNEdDjScxjZ0aYpLN2TvN0PTETpzdQ8EmwCtaxiH0t1nDVxiWdDH4SSSnO6uL+iS0m8sa06qWk4dIoP1+hWh5qDykSHSIjj2BoFcLx4QRQOG0LSt7B3bJBNX99RJKqOZr/hS6LpJMhNw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=LQpXuqgP0EGK6v0UtQa5Cpc1czwMVsUckBx/f14Bpt1dKz2Y8FZKYuXvy5HVWFA8Sq8Ftrh8DH2IsMY/IQX6KxgPmTfsh0EgyP3pZXvZW6VieiNRDq3SeczO/0HC8jiEmmj0XNVy78kF6xm9Y8B8xQ43GWCtb8qKDZGr+/DKQys=
Received: by 10.82.172.10 with SMTP id u10mr4729962bue.1193348327509; Thu, 25 Oct 2007 14:38:47 -0700 (PDT)
Received: by 10.82.121.3 with HTTP; Thu, 25 Oct 2007 14:38:47 -0700 (PDT)
Message-ID: <e89b43830710251438r3131465end1c357957eee98c@mail.gmail.com>
Date: Thu, 25 Oct 2007 17:38:47 -0400
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: cfrg@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Google-Sender-Auth: 90a70db9d1f7386e
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: Shai Halevi <shaih@alum.mit.edu>, "Hugo Krawczyk (ee)" <hugo@ee.technion.ac.il>
Subject: [Cfrg] New Randomized Hashing Draft
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
We have submitted a new version of our randomized hashing internet draft which is posted under http://www.ietf.org/internet-drafts/draft-irtf-cfrg-rhash-01.txt Here is the abstract: This document describes a randomized hashing scheme consisting of a simple message randomization transform that when used as a front-end to regular hash-then-sign signature schemes, such as RSA and DSS, frees these signatures from their current vulnerability to off-line collision attacks against the underlying hash function. The proposed mechanism can work with any hash function as-is and requires no change to the underlying signature algorithm. Incorporating this mechanism into existing applications requires changes that are comparable in their complexity to accommodating a new (deterministic) hash function such as SHA-256. It is worth stressing that the scheme has been simplified considerably from a first version of this proposal which required the change to encoding algorithms such as those in PKCS 1. No such change is required now. The draft contains a FULL specification and discusses implementation issues, in particular how to accomodate the extra random salt required by the scheme. It also reports on several experimental implementations carried out by different teams. A web page with detailed information on the scheme including papers on analysis and implementation can be found in http://www.ee.technion.ac.il/~hugo/rhash/ The specification in this internet draft is aligned with NIST's recent Special Publication 800-106 (Draft) "Randomized Hashing Digital Signatures" http://csrc.nist.gov/publications/drafts/Draft-SP-800-106/Draft-SP800-106.pdf that describes the same scheme. The main difference in our spec is that we allow for some optimizations for specific hash families (most notably Merkle-Damgard). We welcome comments, especially any feedback related to the suitability of the technique for specifc applications and potential interest in specific IETF WGs. Please send comments to the authors (cc-ed above) or via the cfrg mailing list. Hugo _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] New Randomized Hashing Draft Hugo Krawczyk