Re: [Hash] randomized hashes and DSA
Eric Rescorla <ekr@networkresonance.com> Thu, 04 August 2005 08:43 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bJh-0007J3-O4; Thu, 04 Aug 2005 04:43:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bJf-0007Is-N0 for hash@megatron.ietf.org; Thu, 04 Aug 2005 04:43:03 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA12538 for <hash@ietf.org>; Thu, 4 Aug 2005 04:43:01 -0400 (EDT)
Received: from open-28-19.ietf63.ietf.org ([86.255.28.19] helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0bqV-0005bV-UV for hash@ietf.org; Thu, 04 Aug 2005 05:17:01 -0400
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 23201B848; Thu, 4 Aug 2005 01:43:01 -0700 (PDT)
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [Hash] randomized hashes and DSA
In-reply-to: Your message of "Thu, 04 Aug 2005 04:35:58 EDT." <20050804083559.342453BFD72@berkshire.machshav.com>
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 17)
Date: Thu, 04 Aug 2005 01:43:01 -0700
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20050804084301.23201B848@delta.rtfm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: Hash WG <hash@ietf.org>
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org
Steven M. Bellovin <smb@cs.columbia.edu> wrote: > In message <20050804072610.060AEB813@delta.rtfm.com>, Eric Rescorla writes: > >Steven M. Bellovin <smb@cs.columbia.edu> wrote: > >> At the hash BoF, Ran Canetti suggested using the same random number for > >> the hash as for the DSA signature. That left me feeling very uneasy. > >> I think I can now show that it's a very bad idea. > >> > >> The problem is that the two have very different properties. The random > >> number used for signing must remain confidential; the random number for > >> hashing need only be unpredictable. If I receive a signed message, in > >> order to verify it I need to have the random number to feed to the hash > >> function. But before this, the hash module did not need to have any > >> confidentiality properties. With this scheme, it does. This imposes a > >> signficant new requirement on the modularization of the total system. > > > >I was assuming that Ran meant r, which is computed by generating > >a random k and then computing: (g^k mod p) mod q > >where k is random and secret. r, however, is public and part of > >the signature, and random since it was derived from k. > > > > That would certainly be better, though there are still issues with > modularization. The signing process would no longer be a simple > pipeline of an hash operator that merely needs to be authentic and a > signature operator that requires confidentiality. To give a concrete > example, in a secure email system the signature function -- DSA, RSA, > or whatever -- should be in a separate compartment to protect the > long-term secret key from the vast bulk of the MTA. This scheme would > complicate the API to the signature function, and require a different > API for DSA than for RSA. Totally agree.. -Ekr _______________________________________________ Hash mailing list Hash@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hash
- Re: [Hash] randomized hashes and DSA D. J. Bernstein
- [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- RE: [Hash] randomized hashes and DSA Blumenthal, Uri
- Re: [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- Re: [Hash] randomized hashes and DSA Hugo Krawczyk