Re: [Hash] randomized hashes and DSA
Eric Rescorla <ekr@networkresonance.com> Thu, 04 August 2005 07:26 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a7Y-0003Mq-JT; Thu, 04 Aug 2005 03:26:28 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a7X-0003Mg-IP for hash@megatron.ietf.org; Thu, 04 Aug 2005 03:26:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA07325 for <hash@ietf.org>; Thu, 4 Aug 2005 03:26:25 -0400 (EDT)
Received: from open-28-19.ietf63.ietf.org ([86.255.28.19] helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0aeL-0001dw-Tw for hash@ietf.org; Thu, 04 Aug 2005 04:00:24 -0400
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 060AEB813; Thu, 4 Aug 2005 00:26:10 -0700 (PDT)
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [Hash] randomized hashes and DSA
In-reply-to: Your message of "Wed, 03 Aug 2005 19:20:43 EDT." <20050803232043.6BF2E3BFFEA@berkshire.machshav.com>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 17)
Date: Thu, 04 Aug 2005 00:26:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20050804072610.060AEB813@delta.rtfm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 79899194edc4f33a41f49410777972f8
Cc: Hash WG <hash@ietf.org>
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org
Steven M. Bellovin <smb@cs.columbia.edu> wrote: > At the hash BoF, Ran Canetti suggested using the same random number for > the hash as for the DSA signature. That left me feeling very uneasy. > I think I can now show that it's a very bad idea. > > The problem is that the two have very different properties. The random > number used for signing must remain confidential; the random number for > hashing need only be unpredictable. If I receive a signed message, in > order to verify it I need to have the random number to feed to the hash > function. But before this, the hash module did not need to have any > confidentiality properties. With this scheme, it does. This imposes a > signficant new requirement on the modularization of the total system. I was assuming that Ran meant r, which is computed by generating a random k and then computing: (g^k mod p) mod q where k is random and secret. r, however, is public and part of the signature, and random since it was derived from k. -Ekr _______________________________________________ Hash mailing list Hash@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hash
- Re: [Hash] randomized hashes and DSA D. J. Bernstein
- [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- RE: [Hash] randomized hashes and DSA Blumenthal, Uri
- Re: [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- Re: [Hash] randomized hashes and DSA Hugo Krawczyk