Re: Public key encryption
From: AE (hidden@nospam.com)
Date: 01/25/03
- Next message: AE: "Re: PGP clearsign question"
- Previous message: Paul Rubin: "Re: Bad news for Block Ciphers?"
- In reply to: Paul Crowley: "Re: Public key encryption"
- Next in thread: Paul Crowley: "Re: Public key encryption"
- Reply: Paul Crowley: "Re: Public key encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: AE <hidden@nospam.com> Date: Sat, 25 Jan 2003 13:46:54 +0100
Paul Crowley wrote:
> AE <hidden@nospam.com> writes:
>
>>My point was merely that the output of a hash is random in the sense
>>that it is as hard to enforce the encryption of linear dependent
>>messages as to break the hash algorithm.
>
>
> I'm having a lot of trouble making sense of this point. If you mean
> that it's hard to find a set of messages such that their hashes form a
> linearly dependent set, then no it isn't; for a 160-bit hash, encrypt
> 161 of them and there's bound to be a linearly dependent subset that
> can be found relatively efficiently.
>
> And I can't work out what linear dependence over GF(2)^n might have to
> do with RSA forgery.
>
> In any case, whatever property you have in mind it doesn't sound like
> it amounts to equivalence to the RSA problem.
I was talking about Coppersmith-type attacks on RSA and attacks.
> PSS shows that if the
> hash function is strong then there's no possibility of a "shortcut":
> anything that can forge PSS signatures can do arbitrary RSA
> root-finding.
>
>
>>Indeed I've no idea what way to mount an attack based on the fact my
>>message is small compared to the encryption exponent but still a hash
>>value of 160 bit size.
>
>
> I don't know the details of the attacks myself. The most famous
> attack on weak padding is Bleichenbacher's "Million Message Attack",
> but there are others. Provably strong padding is the Right Thing.
I don't think Bleichenbacher's attack can be used against a digital
signature, but to be true I don't know enough to use the attack even
against systmes where it is known to be applicable.
> ...
>>>this technique is patented, but if you use IEEE 1363 signatures then
>>>you get a free license to the patent.
>
> (please take care with the formatting of text that you quote!)
(sadly netscape shows the quoted text slithglty different to what it
creates when sending so it's not always fully predictable to me)
> ...
>>I don't think elliptic curve cryptography is mature enough to be
>>used except there were important reasons.
>
>
> A lot of people feel otherwise, especially regarding curves that are
> not of any special form.
True. But to be conservative never hurts in this area :-)
>>>Finally, if you have a choice of signature scheme, why would you use
>>>RSA signatures rather than Rabin? Rabin signatures are faster to
>>>verify, and unlike RSA forgery is provably as hard as factorising the
>>>modulus.
>>
>>Well - I don't mind either RSA or Rabin.
>
>
> It seems to me that RSA's relative popularity is now entirely because
> it is better known..
I'd guess you are right. I'd generally prefer algorithms based on the
discrete logarithm problem, but that may be mostly because it's easier
for me to understand the mathematics behind it - and it surely doesn't
hurt that the prime numbers used are public and DSA-like prime
generation allows everybody to check what way they were chosen.
AE
- Next message: AE: "Re: PGP clearsign question"
- Previous message: Paul Rubin: "Re: Bad news for Block Ciphers?"
- In reply to: Paul Crowley: "Re: Public key encryption"
- Next in thread: Paul Crowley: "Re: Public key encryption"
- Reply: Paul Crowley: "Re: Public key encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
