Re: Suggested changes for DSA2, take 4
Ben Laurie <ben@algroup.co.uk> Wed, 29 March 2006 21:43 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOiSI-0004Y6-Ot for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 16:43:54 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOiSH-0002Gp-Ch for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 16:43:54 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TLOsmS066163; Wed, 29 Mar 2006 14:24:54 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2TLOs6r066162; Wed, 29 Mar 2006 14:24:54 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.links.org (mail.links.org [217.155.92.109]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TLOrQ3066154 for <ietf-openpgp@imc.org>; Wed, 29 Mar 2006 14:24:54 -0700 (MST) (envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 0F16233C3F; Wed, 29 Mar 2006 22:24:49 +0100 (BST)
Message-ID: <442AFAAF.5090105@algroup.co.uk>
Date: Wed, 29 Mar 2006 22:22:55 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: Hal Finney <hal@finney.org>
CC: ietf-openpgp@imc.org
Subject: Re: Suggested changes for DSA2, take 4
References: <20060329184530.E0E5A57FAE@finney.org>
In-Reply-To: <20060329184530.E0E5A57FAE@finney.org>
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Hal Finney wrote: > Ben Laurie writes: >> Slightly late to the party here, but I should note that hash truncation >> is not an operation that is thoroughly approved of. In particular I >> would worry that if it is permitted a cunning attacker might be able to >> choose a new q s.t. the signature still validated on a much shorter >> version of the hash, and thus show a valid signature on the wrong >> document. I would therefore suggest that we do _not_ permit arbitrary >> truncation of hashes. > > I don't understand what you are proposing here. To choose a new q means > to create a new key: a new (p, q, g, x, y) tuple. Then you are worried > that an existing (r, s) signature could be made to work with this new key? > I don't see why this would be a concern even if it worked; and it could be > eliminated by checking that r and s are < q, which you should do anyway. > > The NIST standard supports arbitrary truncation of (strong) hashes, and > if it were that risky I doubt very much that it would have gotten in. > John Kelsey at NIST is one of the top people in the field today and I > am sure this has been reviewed by him and other cryptographers. OK, you are right, I guess I'll count this nebulous concern as void. Certainly the language proposed accords with 186-3 on hash truncation. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
- Suggested changes for DSA2, take 4 David Shaw
- Re: Suggested changes for DSA2, take 4 Ben Laurie
- Re: Suggested changes for DSA2, take 4 "Hal Finney"
- Re: Suggested changes for DSA2, take 4 Ben Laurie
- Re: Suggested changes for DSA2, take 4 Jon Callas