Modulo based hash functions [was: The Pure Crypto Project's Hash Function]

Ralf Senderek ralf at senderek.de
Mon May 19 03:09:21 EDT 2003 

On Sun, 18 May 2003, Ronald L. Rivest wrote:

> Hi Ralf --
>
> Proposal (A) does not have the multiplicative defect
> you claim.  (In particular, it is not RSA encryption, since
> the input x is in the exponent not in the base.)
>
> Also, the intent of the proposal (A) is that the entire
> messages (even if gigabtyes long) be treated as one long
> integer x.  The security proof still works fine here,
> so there is no size limit on what can be hashed this way.
>
> But, depending on your application, it is likely to be
> too slow for large inputs (aka unusable...)
>
>          Cheers,l
>          Ron Rivest

Ronald,

if you can convince me, that the proposal (A) can safely be used
together with RSA-encryption to create signatures I am more than
willing to kiss the Pure Crypto Hash goodbye and to replace it
with the Shamir-Rivest-Hash (please feel free to assign any different
abbreviation).

But for the sake of clarity (and truth) let us use this hash to
create signatures using secrets p=43 and q=79 assuming that the
factorization of n=3397 is "unknown". We can go into 2048 bit space
the other day.

Let x=1234 and y=2345 be two inputs.

I choose g = lcm(42, 78) = 546 as the hash's generator.
(Please correct me if I am doing wrong here)

The SRH now is :    hash(x) = 546 ^ x mod 3397

We get:    hash(x)    = 2949
           hash(y)    = 1284
           hash(x+y)  = 2258

Now we use the same modulus to create signatures using d = 113 as the
secret signingkey and e = 29 for signature verification.

           sig(hash(x))   =  1029
           sig(hash(y))   =  1125
	   sig(hash(x+y)) =  2645

So if you happen to be Alice and you have created the signatures on x and y
someone can compute

	  sig(hash(x)) * sig(hash(y)) mod n = 1029 * 1125 mod 3397
                                            = 2645
and pretend to have Alice's signature on z = x+y, which verifies correctly.


At least one cannot use the same modulus for hashing and signing
which is a pity, because the only p and q the user is convinced to be
unknown are his own p and q.
On the other hand, if there were different moduli (n,n') for signing and
hashing the signature on hash(x+y) would be different too, but I
cannot say that it is impossible to run into the same problem again.

So if the prove still holds, PCH is dead, long live SRH!


Ralf.


*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <ralf at senderek.de> http://senderek.de  * What is privacy *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960       *     without     *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *   Pure Crypto?  *
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list