[389] in cryptography@c2.net mail archive
Re: Digital Signatures without PKCS
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Mar 19 11:42:21 1997
To: "Perry's Crypto List" <cryptography@c2.net>
Reply-To: kelsey@email.plnet.net
From: John Kelsey <kelsey@email.plnet.net>
Date: Wed, 19 Mar 97 01:12:47 CST
-----BEGIN PGP SIGNED MESSAGE-----
[ To: alt.cypherpunks ## Date: 03/19/97 12:14 am ##
Subject: Re: Digital Signatures without PKCS ]
>From: Adam Shostack
>Subject: Re: Digital Signatures without PKCS
>Date: Sat, 15 Mar 97 22:4
>I agree with Perry on this one. Any system that uses a keyed
>hash fails to provide non-repudiation, unless you create a TTP
>to be the verifier of all signatures. That TTP would be a fat
>target for a vareity of attacks, technical and otherwise.
There are arguably practical digital signature schemes based
only on hash functions, which have essentially the same
practical traits as PK-based digital signature schemes. Merkle,
Lamport, and Diffie were involved with some of these.
The simple way to do this is to build a set of one-time
signature schemes, which can be done using one-way hashes, and
then collect several thousand of them into a hash-tree, whose
root node is now your signing key. Once that root node is
published, you can digitally sign several thousand data values
(as many as you set up for) with this key. The signatures from
these schemes tend to be pretty big (a few kilobytes), but the
signature verifications tend to be quite cheap, and can be done
by a verifier with almost no memory. If it ever turned out that
factoring and discrete log (in various fields) were easy, I
suspect that these schemes would see a lot of use.
Would these schemes be considered as public-key schemes under
the digital signature laws? How about digital timestamping
schemes, where the final hash has been printed in several
newspapers? (It may be digital timestamping should be dealt
with separately. It may also be that passing laws to legitimize
various cryptographic primitives, beyond the very simple digital
signature stuff, is not really a worthwhile endeavor.)
>Adam
--John Kelsey, kelsey@email.plnet.net / kelsey@counterpane.com
PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMy+RXUHx57Ag8goBAQHogQP/R6ntXm0m1LNKbaCNnfwfoD6djdozRJ65
BLYQ9d4Qd0cHZ7H2wjNBKri3QwcagX2cc6oFwf2aLe9Mdlg0Td6A9CA8zg9h8YMR
aRfbwFS4pmStnkr2hVfea2EFFl6BN40pLsunbsbk7sGFRpbr0UVu91RDXnRo12r2
bl6fktPPJCQ=
=L2XP
-----END PGP SIGNATURE-----
--John Kelsey, kelsey@email.plnet.net / kelsey@counterpane.com
PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36
