Re: [Hash] randomized hashes and DSA

Eric Rescorla <ekr@networkresonance.com> Thu, 04 August 2005 08:43 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bJh-0007J3-O4; Thu, 04 Aug 2005 04:43:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bJf-0007Is-N0 for hash@megatron.ietf.org; Thu, 04 Aug 2005 04:43:03 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA12538 for <hash@ietf.org>; Thu, 4 Aug 2005 04:43:01 -0400 (EDT)
Received: from open-28-19.ietf63.ietf.org ([86.255.28.19] helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0bqV-0005bV-UV for hash@ietf.org; Thu, 04 Aug 2005 05:17:01 -0400
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 23201B848; Thu, 4 Aug 2005 01:43:01 -0700 (PDT)
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [Hash] randomized hashes and DSA
In-reply-to: Your message of "Thu, 04 Aug 2005 04:35:58 EDT." <20050804083559.342453BFD72@berkshire.machshav.com>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 17)
Date: Thu, 04 Aug 2005 01:43:01 -0700
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20050804084301.23201B848@delta.rtfm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: Hash WG <hash@ietf.org>
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org

Steven M. Bellovin <smb@cs.columbia.edu>; wrote:

> In message <20050804072610.060AEB813@delta.rtfm.com>;, Eric Rescorla writes:
> >Steven M. Bellovin <smb@cs.columbia.edu>; wrote:
> >> At the hash BoF, Ran Canetti suggested using the same random number for 
> >> the hash as for the DSA signature.  That left me feeling very uneasy.  
> >> I think I can now show that it's a very bad idea.
> >> 
> >> The problem is that the two have very different properties.  The random 
> >> number used for signing must remain confidential; the random number for 
> >> hashing need only be unpredictable.  If I receive a signed message, in 
> >> order to verify it I need to have the random number to feed to the hash 
> >> function.  But before this, the hash module did not need to have any 
> >> confidentiality properties.  With this scheme, it does.  This imposes a 
> >> signficant new requirement on the modularization of the total system.
> >
> >I was assuming that Ran meant r, which is computed by generating
> >a random k and then computing: (g^k mod p) mod q
> >where k is random and secret. r, however, is public and part of
> >the signature, and random since it was derived from k.
> >
> 
> That would certainly be better, though there are still issues with 
> modularization.  The signing process would no longer be a simple
> pipeline of an hash operator that merely needs to be authentic and a 
> signature operator that requires confidentiality.  To give a concrete 
> example, in a secure email system the signature function -- DSA, RSA, 
> or whatever -- should be in a separate compartment to protect the 
> long-term secret key from the vast bulk of the MTA.  This scheme would 
> complicate the API to the signature function, and require a different 
> API for DSA than for RSA.

Totally agree..

-Ekr


_______________________________________________
Hash mailing list
Hash@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hash