[11439] in cryptography@c2.net mail archive
Re: adding noise blob to data before signing
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Sat Aug 10 14:26:13 2002
To: Derek Atkins <derek@ihtfp.com>
Cc: Eugen Leitl <eugen@leitl.org>,
Cryptography List <cryptography@wasabisystems.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 10 Aug 2002 10:23:40 -0700
In-Reply-To: Derek Atkins's message of "10 Aug 2002 12:49:40 -0400"
Derek Atkins <derek@ihtfp.com> writes:
> Eugen Leitl <eugen@leitl.org> writes:
>
> > 2) If I'm signing above short (~1 kBit) sequences, can I sign them
> > directly, or am I supposed to hash them first? (i.e. does a presence
> > of an essentially fixed field weaken the signature)
>
> It depends on the signature algorithm. With RSA you can sign any
> message "directly" if said message is smaller than the public key size
> (N). DSA, however, requires the use of a hash.
>
> Note that, in the grand scheme of things, performing the public key
> operation is significantly slower than performing the hash, so it
> really doesn't hurt you computationally to perform the hash. OTOH,
> your signature strength still depends on the strength of your hash.
It's generally a bad idea to sign RSA data directly. The RSA
primitive is actually quite fragile. At the very least you should
PKCS-1 pad the data.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
