IETF Logo Mail Archive

Re: How to Calculate Signatures?

Ian G <iang@systemics.com> Sun, 03 April 2005 21:36 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA28392 for <openpgp-archive@lists.ietf.org>; Sun, 3 Apr 2005 17:36:49 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33LMn8e061413; Sun, 3 Apr 2005 14:22:49 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j33LMn6X061412; Sun, 3 Apr 2005 14:22:49 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j33LMlRT061403 for <ietf-openpgp@imc.org>; Sun, 3 Apr 2005 14:22:48 -0700 (PDT) (envelope-from iang@systemics.com)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j33LMVU03537 for <ietf-openpgp@imc.org>; Sun, 3 Apr 2005 22:22:41 +0100
X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol
Message-ID: <42505F72.902@systemics.com>
Date: Sun, 03 Apr 2005 22:26:10 +0100
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0 (X11/20050219)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: Re: How to Calculate Signatures?
References: <20050403194540.2563D57EBA@finney.org>
In-Reply-To: <20050403194540.2563D57EBA@finney.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

Hal Finney wrote:

> Unfortunately, that doesn't protect against the attack.  The ID of SHA-1
> is 2 and the ID of RIPEMD-160 is 3.  If SHA-1 were broken badly enough
> it's entirely possible that we could find m1 and m2 such that:
> 
> SHA1 (2 || m1) == RIPEMD160 (3 || m2).
> 
> The mere fact that you feed the hash algorithm ID into the hash algorithm
> doesn't stop you from finding collisions with a different, broken hash
> algorithm.


Which would seem to be mildly supportive of locking
DSA with SHA1?

> The situation is different with RSA, where you do:
> 
> RSA_Sign (Alg ID || Hash).
> 
> Now, it is impossible to get collisions using two different algorithm ID's
> because the algorithm ID is outside the hash.


And this would seem to suggest that rather than
tinkering with DSA, we should prefer a completely
new signature algorithm?

iang

-- 
News and views on what matters in finance+crypto:
         http://financialcryptography.com/

v2.23.0 | Report a Bug | By Email