Re: [Hash] randomized hashes and DSA

Hugo Krawczyk <> Thu, 04 August 2005 16:06 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E0iFG-00079W-Tl; Thu, 04 Aug 2005 12:06:58 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E0iFF-00079H-UL for; Thu, 04 Aug 2005 12:06:58 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id MAA21846 for <>; Thu, 4 Aug 2005 12:06:55 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1E0im9-0008Q9-9w for; Thu, 04 Aug 2005 12:40:59 -0400
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 09314F78C3 for <>; Thu, 4 Aug 2005 18:53:20 +0300 (IDT)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id 11406-01-96 for <>; Thu, 4 Aug 2005 18:53:19 +0300 (IDT)
Received: from ( []) by (Postfix) with ESMTP id 76CDDF78E6 for <>; Thu, 4 Aug 2005 18:53:19 +0300 (IDT)
Received: from (localhost []) by (8.12.10+Sun/8.12.2) with ESMTP id j74G854A008076; Thu, 4 Aug 2005 19:08:05 +0300 (IDT)
Received: from localhost (hugo@localhost) by (8.12.10+Sun/8.12.2/Submit) with ESMTP id j74G84Ot008073; Thu, 4 Aug 2005 19:08:04 +0300 (IDT)
Date: Thu, 4 Aug 2005 19:08:04 +0300 (IDT)
From: Hugo Krawczyk <>
To: "Steven M. Bellovin" <>
Subject: Re: [Hash] randomized hashes and DSA
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: AAAAAQAAAAQ=
X-Whitelist: TRUE
X-Virus-Scanned: by amavisd-new at
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: Hash WG <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Let me clarify this very important point before more people get confused.
In general, please refer to draft-irtf-cfrg-rhash-00.txt for the details
and rationale of the proposal presented by Ran.

In reference to Steve's point below regarding the use (or re-use) of
the random component of a
DSA signature as the random "salt" in the hashing process, the intention
is to use the public value r=g^k and NOT the SECRET k. Doing the latter
would completely break the DSS scheme in which revealing a single value of
k also discloses the full value of the long-term private signing key.

Having clarified this it is also important to distinguish between two issues
(1) The cryptographic soundness of (re) using the component r for salting
the randomized hashing
(2) The engineering benefits and drawbacks of doing that.

The first point is essential and holds in this case. It is indeed secure
to reuse the value of r for the salting of the hash (with one caveat
pointed out in the above draft: the salt value r needs to be unpredictable
to the attacker so it should not be made available to the attacker before
the signature is issued)

As for (2), here we get into the business of trade-offs. Re-using r saves
bandwidth. Otoh, it changes the processing order of hash-and-sign in the
sense that the DSA component r now needs to be available before the
hashing. This may not be a problem is some cases (since r can be generated
a-priori independently of the msg being signed) and may be a problem in
others (such as allowing for the randomized hashing mode to be a drop-in
replacement for deterministic hashing in current signature code).

Whetehr bandwidth savings or processing compatibility is more important is
to be determined by purely engineering considerations (which is the ietf
expertise). The cryptography supports either way.

The details of processing and formats is of fundamental importance for the
practice of randomized hashing. But at this initial stage it is even more
important to understand the significance of the notion and the essential
role it may play now and in the future as an "insurance" against current
and future weaknesses of collision-resistant hashing.


On Wed, 3 Aug 2005, Steven M. Bellovin wrote:

> At the hash BoF, Ran Canetti suggested using the same random number for
> the hash as for the DSA signature.That left me feeling very uneasy.
> I think I can now show that it's a very bad idea.
> The problem is that the two have very different properties.The random
> number used for signing must remain confidential; the random number for
> hashing need only be unpredictable.If I receive a signed message, in
> order to verify it I need to have the random number to feed to the hash
> function.But before this, the hash module did not need to have any
> confidentiality properties.With this scheme, it does.  This imposes a
> signficant new requirement on the modularization of the total system.
> 		--Steven M. Bellovin,
> _______________________________________________
> Hash mailing list

Hash mailing list