IETF Logo Mail Archive

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

Jack Lloyd <lloyd@randombit.net> Fri, 28 October 2005 22:25 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcfD-0002zF-9G; Fri, 28 Oct 2005 18:25:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcfB-0002yl-Vd for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 18:25:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA23760 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:25:13 -0400 (EDT)
Received: from saria.randombit.net ([66.179.181.167] helo=mail.randombit.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVcsq-0007Jh-LW for cfrg@ietf.org; Fri, 28 Oct 2005 18:39:36 -0400
Received: by mail.randombit.net (Postfix, from userid 501) id 7E410247C0FA; Fri, 28 Oct 2005 18:25:28 -0400 (EDT)
Date: Fri, 28 Oct 2005 18:25:28 -0400
From: Jack Lloyd <lloyd@randombit.net>
To: cfrg@ietf.org
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Message-ID: <20051028222528.GR6237@randombit.net>
Mail-Followup-To: cfrg@ietf.org
References: <200510282155.j9SLtEFu013404@taverner.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200510282155.j9SLtEFu013404@taverner.CS.Berkeley.EDU>
X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Fri, Oct 28, 2005 at 02:55:14PM -0700, David Wagner wrote:
> Jack Lloyd writes:
> >David Wagner writes:
> >> there do exist (contrived-looking)
> >> trapdoor permutations that interact with SHA256 badly enough to make
> >> "hash-then-sign" insecure with those trapdoor permutations.
> >
> >Could you provide a reference to or sketch of what such a function might look
> >like? I gave it a bit of thought and couldn't see any way of creating a
> >trapdoor such as you describe, so now I'm curious.
> 
> Hmm.  Here's a boring one.  Let (d,n) be a RSA private key.
>     Trapdoor(X):
>     1. If X=SHA256(0), output d.
>     2. Otherwise, output X^d mod n.
> Note that Sign(M) = Trapdoor(SHA256(M)) is insecure in the real world
> (just ask for a signature on the all-zeros message), but Sign(M) =
> Trapdoor(H(M)) is secure in the random oracle model.

Makes sense, thanks. My confusion came about because I assumed that the scheme
you referred to was one that would be insecure for arbitrary inputs (or at
least a large set of inputs) if used as a signature scheme with one (previously
selected) secure hash function but secure if instantiated with a different
secure hash function.

-Jack

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email