Re: Public key encryption
From: AE (hidden@nospam.com)
Date: 01/24/03
- Next message: DSCOTT: "Re: Enigma Mathematics?"
- Previous message: Mok-Kong Shen: "Re: Bad news for Block Ciphers?"
- In reply to: Paul Crowley: "Re: Public key encryption"
- Next in thread: Paul Crowley: "Re: Public key encryption"
- Reply: Paul Crowley: "Re: Public key encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: AE <hidden@nospam.com> Date: Fri, 24 Jan 2003 19:46:07 +0100
Paul Crowley wrote:
> AE <nospam@hidden.com> writes:
>>Paul Crowley wrote:
>> ...
>>>Not as easy as it seems! The trouble is that (loosely) RSA is only
>>>secure for "random" input, but the inputs you'll get for message
>>>encryption or signing are anything but random.
>>>...
>>
>
>>I'd expect a hash of a given message to be as random as possible or
>>something is wrong with the hash algorithm you are using :-/
>>AE
>
>
> (from which I assume you're talking about signatures, not encryption)
>
> When I said "loosely", I'd hoped I was making it clear that I wasn't
> giving enough information to design a secure system! If you really
> want to know enough about how this is done to make a secure choice,
> don't just take my loose words for it; read the paper on PSS to
> complete the picture.
>
> There are two issues with what you say.
>
> 1) It needs to be a random number between 0 and the RSA modulus N, but
> N is typically greater than 2^1023; if you convert SHA-1 outputs to
> integers in the obvious way, all the values will be between 0 and
> 2^160, a very obviously non-random choice. What you need is a "full
> domain hash" (FDH).
>
> Actually PSS shows that you can relax this condition very slightly,
> but this should give you the idea.
>
> 2) It's not at all random - the hash a given message might produce is
> completely deterministic! You need to introduce a random element to
> the signing process. The simplest way is to generate a (say) 160-bit
> random "nonce" x at signing time; then you can use RSA to sign
> FDH(M||x). Bellare refers to this scheme as PSS-0.
My point was merely that the output of a hash is random in the sense
that it is as hard to enforce the encryption of linear dependent
messages as to break the hash algorithm.
Indeed I've no idea what way to mount an attack based on the fact my
message is small compared to the encryption exponent but still a hash
value of 160 bit size.
> Of course you have to transmit the nonce as part of the signature if
> anyone's to be able to verify it, and this takes up 10 bytes. PSS
> provides a way of saving those 10 bytes;
I'd guess I could save much more than just these 10 bytes when using DSA
instead of RSA.
> this technique is patented, but if you use IEEE 1363 signatures then
> you get a free license to the patent.
IEEE 1363 signatures are based on elliptic curves or can I use as well
algorithms based on the discrete logarithm problem?
I don't think elliptic curve cryptography is mature enough to be used
except there were important reasons.
> Finally, if you have a choice of signature scheme, why would you use
> RSA signatures rather than Rabin? Rabin signatures are faster to
> verify, and unlike RSA forgery is provably as hard as factorising the
> modulus.
Well - I don't mind either RSA or Rabin.
AE
- Next message: DSCOTT: "Re: Enigma Mathematics?"
- Previous message: Mok-Kong Shen: "Re: Bad news for Block Ciphers?"
- In reply to: Paul Crowley: "Re: Public key encryption"
- Next in thread: Paul Crowley: "Re: Public key encryption"
- Reply: Paul Crowley: "Re: Public key encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
