[Hash] randomized hashes and DSA

"Steven M. Bellovin" <smb@cs.columbia.edu> Thu, 04 August 2005 07:21 UTC

Received: from localhost.localdomain ([] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a2g-0001WK-Df; Thu, 04 Aug 2005 03:21:26 -0400
Received: from odin.ietf.org ([] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a2e-0001W3-5y for hash@megatron.ietf.org; Thu, 04 Aug 2005 03:21:24 -0400
Received: from ietf-mx.ietf.org (ietf-mx []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA07065 for <hash@ietf.org>; Thu, 4 Aug 2005 03:21:20 -0400 (EDT)
Received: from machshav.com ([]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0aZP-0001Ro-CH for hash@ietf.org; Thu, 04 Aug 2005 03:55:18 -0400
Received: by machshav.com (Postfix, from userid 512) id 79F68FB27F; Thu, 4 Aug 2005 03:21:10 -0400 (EDT)
Received: from berkshire.machshav.com (localhost []) by machshav.com (Postfix) with ESMTP id 0CFCBFB262 for <hash@ietf.org>; Thu, 4 Aug 2005 03:21:09 -0400 (EDT)
Received: from cs.columbia.edu (localhost []) by berkshire.machshav.com (Postfix) with ESMTP id 6BF2E3BFFEA for <hash@ietf.org>; Thu, 4 Aug 2005 01:20:43 +0200 (CEST)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Hash WG <hash@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 03 Aug 2005 19:20:43 -0400
Message-Id: <20050803232043.6BF2E3BFFEA@berkshire.machshav.com>
X-Spam-Score: 0.6 (/)
X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c
Subject: [Hash] randomized hashes and DSA
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org

At the hash BoF, Ran Canetti suggested using the same random number for 
the hash as for the DSA signature.  That left me feeling very uneasy.  
I think I can now show that it's a very bad idea.

The problem is that the two have very different properties.  The random 
number used for signing must remain confidential; the random number for 
hashing need only be unpredictable.  If I receive a signed message, in 
order to verify it I need to have the random number to feed to the hash 
function.  But before this, the hash module did not need to have any 
confidentiality properties.  With this scheme, it does.  This imposes a 
signficant new requirement on the modularization of the total system.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Hash mailing list