AW: adding noise blob to data before signing

Kuehn, Ulrich Ulrich.Kuehn at Dresdner-Bank.com
Mon Aug 12 02:50:12 EDT 2002


> From: Eugen Leitl [mailto:eugen at leitl.org]
> 
> 1) What's the name of the technique of salting/padding an 
> small integer 
>    I'm signing with random data?
> 
If you have something in mind one does as in PKCS#1 v1.5 _encryption_
padding for RSA, i.e. fixing the top bytes and adding random bytes until the
remaining length of RSA modulus is filled, then this seems to me like a bad
idea for _signatures_. I could be wrong, but I got the impression that this
might actually help an adversary as he/she does not need to have too much
control over the supposed-to-be-random bytes when doing a multiplicative
attack, again, for RSA. It seems to me that you need some redundancy within
the signature -- like PSS does -- to gain security from random bytes in
signatures.

Please correct me when I am wrong here...

> 2) If I'm signing above short (~1 kBit) sequences, can I sign them 
>    directly, or am I supposed to hash them first? (i.e. does 
> a presence
>    of an essentially fixed field weaken the signature)
> 
You'd better hash first; I think I remember that there are some attacks on
fixed pattern padding for RSA even with quite a long fixed pattern.
You might want to look into: 
Arjen K. Lenstra, Igor Shparlinski: Selective Forgery of RSA Signatures with
Fixed-Pattern Padding. Public Key Cryptography 2002: 228-236. Springer
Verlag 2002.


Ulrich


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list