Re: [Hash] randomized hashes and DSA

Eric Rescorla <> Thu, 04 August 2005 07:26 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E0a7Y-0003Mq-JT; Thu, 04 Aug 2005 03:26:28 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E0a7X-0003Mg-IP for; Thu, 04 Aug 2005 03:26:27 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id DAA07325 for <>; Thu, 4 Aug 2005 03:26:25 -0400 (EDT)
Received: from ([] by with esmtp (Exim 4.43) id 1E0aeL-0001dw-Tw for; Thu, 04 Aug 2005 04:00:24 -0400
Received: from ( []) by (Postfix) with ESMTP id 060AEB813; Thu, 4 Aug 2005 00:26:10 -0700 (PDT)
To: "Steven M. Bellovin" <>
Subject: Re: [Hash] randomized hashes and DSA
In-reply-to: Your message of "Wed, 03 Aug 2005 19:20:43 EDT." <>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 17)
Date: Thu, 04 Aug 2005 00:26:10 -0700
From: Eric Rescorla <>
Message-Id: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 79899194edc4f33a41f49410777972f8
Cc: Hash WG <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Steven M. Bellovin <>; wrote:
> At the hash BoF, Ran Canetti suggested using the same random number for 
> the hash as for the DSA signature.  That left me feeling very uneasy.  
> I think I can now show that it's a very bad idea.
> The problem is that the two have very different properties.  The random 
> number used for signing must remain confidential; the random number for 
> hashing need only be unpredictable.  If I receive a signed message, in 
> order to verify it I need to have the random number to feed to the hash 
> function.  But before this, the hash module did not need to have any 
> confidentiality properties.  With this scheme, it does.  This imposes a 
> signficant new requirement on the modularization of the total system.

I was assuming that Ran meant r, which is computed by generating
a random k and then computing: (g^k mod p) mod q
where k is random and secret. r, however, is public and part of
the signature, and random since it was derived from k.


Hash mailing list