RSA question
Francois Grieu
fgrieu at gmail.com
Wed Sep 1 02:16:54 EDT 2010
On 01/09/2010 02:30, Joseph Ashwood wrote:
> [you may be] looking for a digital signature algorithm,
> all the good ones have entropy injected.
I disagree on that last line. There are good digital
signature schemes with no injection of entropy. An example
is ISO/IEC 9796-2:2002 Digital signature scheme 1,
a deterministic digital signature scheme.
Such schemes are very useful because they do not allow a
subliminal channel that the signer could use for
nefarious purposes. Two examples:
- You want to know that this signing black box you purchased,
accepting (private key, message) and producing a signature
using an ASIC, does not leak the private key in the
signature (you also need to guard against other leaks,
e.g. timing).
- You want to know that this anonymous timestamping web
service does not embed your IP in the timestamp (although
admitedly, you can't rule out that it keeps and secretly
sells a log of the IP associated with each timestamp
produced).
For RSA-based digital signature schemes, it is possible to
turn a good scheme with injection of entropy into a good
deterministic scheme: replace the entropy by a pseudo random
function of the message, and have that added information
checked by the verifier.
PKCS#1v2 (which recommands RSASSA-PSS, a probabilistic signature
scheme) acknowledges that:
RSASSA-PSS is different from other RSA-based signature schemes
in that it is probabilistic rather than deterministic,
incorporating a randomly generated salt value. The salt value
enhances the security of the scheme by affording a "tighter"
security proof than deterministic alternatives such as Full
Domain Hashing (..)
However, the randomness is not critical to security. In
situations where random generation is not possible, a fixed
value or a sequence number could be employed instead, with
the resulting provable security similar to that of FDH (..)
Francois Grieu
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list