AW: adding noise blob to data before signing
Kuehn, Ulrich
Ulrich.Kuehn at Dresdner-Bank.com
Mon Aug 12 02:50:12 EDT 2002
> From: Eugen Leitl [mailto:eugen at leitl.org]
>
> 1) What's the name of the technique of salting/padding an
> small integer
> I'm signing with random data?
>
If you have something in mind one does as in PKCS#1 v1.5 _encryption_
padding for RSA, i.e. fixing the top bytes and adding random bytes until the
remaining length of RSA modulus is filled, then this seems to me like a bad
idea for _signatures_. I could be wrong, but I got the impression that this
might actually help an adversary as he/she does not need to have too much
control over the supposed-to-be-random bytes when doing a multiplicative
attack, again, for RSA. It seems to me that you need some redundancy within
the signature -- like PSS does -- to gain security from random bytes in
signatures.
Please correct me when I am wrong here...
> 2) If I'm signing above short (~1 kBit) sequences, can I sign them
> directly, or am I supposed to hash them first? (i.e. does
> a presence
> of an essentially fixed field weaken the signature)
>
You'd better hash first; I think I remember that there are some attacks on
fixed pattern padding for RSA even with quite a long fixed pattern.
You might want to look into:
Arjen K. Lenstra, Igor Shparlinski: Selective Forgery of RSA Signatures with
Fixed-Pattern Padding. Public Key Cryptography 2002: 228-236. Springer
Verlag 2002.
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list