RE: [Hash] randomized hashes and DSA

"Blumenthal, Uri" <uri.blumenthal@intel.com> Thu, 04 August 2005 08:29 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0b6g-00032R-HR; Thu, 04 Aug 2005 04:29:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0b6b-000323-Ob for hash@megatron.ietf.org; Thu, 04 Aug 2005 04:29:36 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA11937 for <hash@ietf.org>; Thu, 4 Aug 2005 04:29:31 -0400 (EDT)
Received: from fmr14.intel.com ([192.55.52.68] helo=fmsfmr002.fm.intel.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0bdR-00051C-Ga for hash@ietf.org; Thu, 04 Aug 2005 05:03:30 -0400
Received: from fmsfmr101.fm.intel.com (fmsfmr101.fm.intel.com [10.253.24.21]) by fmsfmr002.fm.intel.com (8.12.10/8.12.10/d: major-outer.mc,v 1.1 2004/09/17 17:50:56 root Exp $) with ESMTP id j748TAQh003910; Thu, 4 Aug 2005 08:29:10 GMT
Received: from fmsmsxvs043.fm.intel.com (fmsmsxvs043.fm.intel.com [132.233.42.129]) by fmsfmr101.fm.intel.com (8.12.10/8.12.10/d: major-inner.mc,v 1.2 2004/09/17 18:05:01 root Exp $) with SMTP id j748T9UG028641; Thu, 4 Aug 2005 08:29:10 GMT
Received: from fmsmsx331.amr.corp.intel.com ([132.233.42.156]) by fmsmsxvs043.fm.intel.com (SAVSMTP 3.1.7.47) with SMTP id M2005080401291024438 ; Thu, 04 Aug 2005 01:29:10 -0700
Received: from fmsmsx312.amr.corp.intel.com ([132.233.42.227]) by fmsmsx331.amr.corp.intel.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 Aug 2005 01:29:09 -0700
Received: from hdsmsx402.amr.corp.intel.com ([10.127.2.62]) by fmsmsx312.amr.corp.intel.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 Aug 2005 01:29:09 -0700
Received: from pysmsx401.amr.corp.intel.com ([146.152.3.156]) by hdsmsx402.amr.corp.intel.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 Aug 2005 04:29:08 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Hash] randomized hashes and DSA
Date: Thu, 4 Aug 2005 04:25:19 -0400
Message-ID: <3DEC199BD7489643817ECA151F7C592901971A7B@pysmsx401.amr.corp.intel.com>
Thread-Topic: [Hash] randomized hashes and DSA
Thread-Index: AcWYxT2Desyk82JcTbKe1hk0rj6qYAACMULg
From: "Blumenthal, Uri" <uri.blumenthal@intel.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>, "Hash WG" <hash@ietf.org>
X-OriginalArrivalTime: 04 Aug 2005 08:29:08.0205 (UTC) FILETIME=[9518E9D0:01C598CE]
X-Scanned-By: MIMEDefang 2.44
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org

Steve,

I share your concerns, and dislike the idea. 

-----Original Message-----
From: hash-bounces@lists.ietf.org [mailto:hash-bounces@lists.ietf.org]
On Behalf Of Steven M. Bellovin
Sent: Thursday, August 04, 2005 1:21 AM
To: Hash WG
Subject: [Hash] randomized hashes and DSA

At the hash BoF, Ran Canetti suggested using the same random number for 
the hash as for the DSA signature.  That left me feeling very uneasy.  
I think I can now show that it's a very bad idea.

The problem is that the two have very different properties.  The random 
number used for signing must remain confidential; the random number for 
hashing need only be unpredictable.  If I receive a signed message, in 
order to verify it I need to have the random number to feed to the hash 
function.  But before this, the hash module did not need to have any 
confidentiality properties.  With this scheme, it does.  This imposes a 
signficant new requirement on the modularization of the total system.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



_______________________________________________
Hash mailing list
Hash@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hash

_______________________________________________
Hash mailing list
Hash@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hash