Re: electronic signatures
- From: Mike Amling <nospam@xxxxxxxxxx>
- Date: 12 Sep 2006 19:41:25 EDT
Peter Fairbrother wrote:
Mike Amling wrote:
Peter Fairbrother wrote:From the UK's The Electronic Signatures Regulations 2002:A block box that raises its input i to the d power mod N can be used
2. In these Regulations -
"advanced electronic signature" means an electronic signature -
....
(c) which is created using means that the signatory can maintain under his
sole control.
now an RSA decryption is mathematically the same operation as an RSA
signature,
for signature or decryption, but... Can a black box that accepts a hash
value h and returns a PSS digital signature on h also be used for
decryption? There may be a way, but I don't know of any.
It's very easy - present the block with a hash. Or with something that is in
fact data encrypted with the public key, but which pretends to be a hash. Or
something that is in fact a hash, but pretends to be encrypted data ...
Probabilistic Signature Scheme (PSS) only signs hashes that are shorter than the public key by some substantial margin, a good 160 bits if memory serves. The actual number which gets raised to the d power depends on 160 random bits generated as part of the signing process. See http://www.cs.ucdavis.edu/~rogaway/papers/exact.html for gory details. A black box that does PSS signatures does not give the provider of the hash to be signed sufficient control over the number than gets raised to the private exponent to allow decryption of a pre-specified RSA ciphertext.
Of course, a software implementation on a general purpose computer does not constitute a black box.
and if the gubmint can demand decryptions of data encrypted usingA black box that generates DSA signatures is if anything even further
a RSA key - and anyone who knows the public key can use it to encrypt data,
and you have to know the public key in order to be able to tewll whether a
signature is valid - then it can in effect force people to sign things
against their will, thus preventing them from using RSA for an "advanced
electronic signature".
Do any of the other signature schemes not have this property, ie is there a
means which could be used to generate "advanced electronic signatures"?
removed from what the said gubmint might construe as decryption, nicht?
Ah - I am not too knowledgeable on signatures, in fact it is the exact
question I was/am trying to ask - I have to complete my not-homework report
(for the UK Home Office) by tomorrow so I don't have time to google and
learn. Help?
If you don't know much about digital signatures, why has anyone asked you for a report on them?
You could do worse than start with http://en.wikipedia.org/wiki/Digital_Signature_Algorithm and note that the signing procedure does not, AFAICT, and I'm no expert, seem helpful in forming a DH shared secret from a given DH public key.
There are smart cards and tokens on the market that will generate a DSA key pair and sign things with it and from which it is purportedly difficult to extract the generated private key, including claims of resistance to timing and differential power attacks.
--Mike Amling
.
- Follow-Ups:
- Re: electronic signatures
- From: Peter Fairbrother
- Re: electronic signatures
- From: Peter Fairbrother
- Re: electronic signatures
- References:
- electronic signatures
- From: Peter Fairbrother
- Re: electronic signatures
- From: Mike Amling
- Re: electronic signatures
- From: Peter Fairbrother
- electronic signatures
- Prev by Date: Core2 benchmark results
- Next by Date: coded toxins.
- Previous by thread: Re: electronic signatures
- Next by thread: Re: electronic signatures
- Index(es):
Relevant Pages
|
