[Hash] randomized hashes and DSA
"Steven M. Bellovin" <smb@cs.columbia.edu> Thu, 04 August 2005 07:21 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a2g-0001WK-Df; Thu, 04 Aug 2005 03:21:26 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0a2e-0001W3-5y for hash@megatron.ietf.org; Thu, 04 Aug 2005 03:21:24 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA07065 for <hash@ietf.org>; Thu, 4 Aug 2005 03:21:20 -0400 (EDT)
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0aZP-0001Ro-CH for hash@ietf.org; Thu, 04 Aug 2005 03:55:18 -0400
Received: by machshav.com (Postfix, from userid 512) id 79F68FB27F; Thu, 4 Aug 2005 03:21:10 -0400 (EDT)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 0CFCBFB262 for <hash@ietf.org>; Thu, 4 Aug 2005 03:21:09 -0400 (EDT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 6BF2E3BFFEA for <hash@ietf.org>; Thu, 4 Aug 2005 01:20:43 +0200 (CEST)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Hash WG <hash@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 03 Aug 2005 19:20:43 -0400
Message-Id: <20050803232043.6BF2E3BFFEA@berkshire.machshav.com>
X-Spam-Score: 0.6 (/)
X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c
Cc:
Subject: [Hash] randomized hashes and DSA
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org
At the hash BoF, Ran Canetti suggested using the same random number for the hash as for the DSA signature. That left me feeling very uneasy. I think I can now show that it's a very bad idea. The problem is that the two have very different properties. The random number used for signing must remain confidential; the random number for hashing need only be unpredictable. If I receive a signed message, in order to verify it I need to have the random number to feed to the hash function. But before this, the hash module did not need to have any confidentiality properties. With this scheme, it does. This imposes a signficant new requirement on the modularization of the total system. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Hash mailing list Hash@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hash
- Re: [Hash] randomized hashes and DSA D. J. Bernstein
- [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- RE: [Hash] randomized hashes and DSA Blumenthal, Uri
- Re: [Hash] randomized hashes and DSA Steven M. Bellovin
- Re: [Hash] randomized hashes and DSA Eric Rescorla
- Re: [Hash] randomized hashes and DSA Hugo Krawczyk