[13185] in cryptography@c2.net mail archive
Re: The Pure Crypto Project's Hash Function
daemon@ATHENA.MIT.EDU (Ralf Senderek)
Sun May 4 09:55:05 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 4 May 2003 11:20:41 +0200 (CEST)
From: Ralf Senderek <ralf@senderek.de>
To: Peter Wayner <pcw2@flyzone.com>
Cc: <cryptography@metzdowd.com>
In-Reply-To: <a05111b01bad9dfe5fdb6@[10.0.1.25]>
On Sat, 3 May 2003, Peter Wayner wrote:
>
> Let's not forget one of the best reasons to use a very non-linear
> hash function like SHA: forging signatures.
Of course!
> Your function may
> inadvertently allow this depending upon the values of A, B and C.
>
> Let m and m' be numbers/messages. If Alice signs m with RSA, it's
> possible for anyone to convert this into a signature of m' with a few
> steps.
>
> Let Alice's signature be m^d mod n. She really should be computing
> h(m)^d mod n, but she's not.
>
> Now let's say we can talk Alice into signing m'/m by computing (m'/m)^d mod n.
>
> Multiply the two together to get (m^d)(m'/m)^d mod n=m'^d mod n.
> Voila a signature of m'.
>
> Obviously this depends upon getting Alice to sign two values. Even
> if she tries to avoid signing m', she might get tricked into doing
> so. Non-linear hash functions like SHA prevent this.
>
> Can your hash function stop this? I don't think it will if C=n.
In PCP C will never be n, because n is composite and C is a prime
(taken from the RSA-155 challenge). In PCP messages m and m' will
always be hashes and there are naturally additional precautions taken
to prevent that Alice is tricked into signing something that looks
like already encrypted material, that is long numbers. It will issue
a warning, if the text to be signed contains long numbers.
Thus the Pure Crypto Hash will stop this attack reliably inside PCP.
Ralf.
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek <ralf@senderek.de> http://senderek.de * What is privacy *
* Sandstr. 60 D-41849 Wassenberg +49 2432-3960 * without *
* PGP: AB 2C 85 AB DB D3 10 E7 CD A4 F8 AC 52 FC A9 ED * Pure Crypto? *
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
