Re: [Hash] randomized hashes and DSA

Eric Rescorla <ekr@networkresonance.com> Thu, 04 August 2005 07:26 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a7Y-0003Mq-JT; Thu, 04 Aug 2005 03:26:28 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a7X-0003Mg-IP for hash@megatron.ietf.org; Thu, 04 Aug 2005 03:26:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA07325 for <hash@ietf.org>; Thu, 4 Aug 2005 03:26:25 -0400 (EDT)
Received: from open-28-19.ietf63.ietf.org ([86.255.28.19] helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0aeL-0001dw-Tw for hash@ietf.org; Thu, 04 Aug 2005 04:00:24 -0400
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 060AEB813; Thu, 4 Aug 2005 00:26:10 -0700 (PDT)
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [Hash] randomized hashes and DSA
In-reply-to: Your message of "Wed, 03 Aug 2005 19:20:43 EDT." <20050803232043.6BF2E3BFFEA@berkshire.machshav.com>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 17)
Date: Thu, 04 Aug 2005 00:26:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20050804072610.060AEB813@delta.rtfm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 79899194edc4f33a41f49410777972f8
Cc: Hash WG <hash@ietf.org>
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org

Steven M. Bellovin <smb@cs.columbia.edu>; wrote:
> At the hash BoF, Ran Canetti suggested using the same random number for 
> the hash as for the DSA signature.  That left me feeling very uneasy.  
> I think I can now show that it's a very bad idea.
> 
> The problem is that the two have very different properties.  The random 
> number used for signing must remain confidential; the random number for 
> hashing need only be unpredictable.  If I receive a signed message, in 
> order to verify it I need to have the random number to feed to the hash 
> function.  But before this, the hash module did not need to have any 
> confidentiality properties.  With this scheme, it does.  This imposes a 
> signficant new requirement on the modularization of the total system.

I was assuming that Ran meant r, which is computed by generating
a random k and then computing: (g^k mod p) mod q
where k is random and secret. r, however, is public and part of
the signature, and random since it was derived from k.

-Ekr


_______________________________________________
Hash mailing list
Hash@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hash