RSA question

Francois Grieu fgrieu at gmail.com
Wed Sep 1 02:16:54 EDT 2010 

 On 01/09/2010 02:30, Joseph Ashwood wrote:

> [you may be] looking for a digital signature algorithm,
> all the good ones have entropy injected.

I disagree on that last line. There are good digital
signature schemes with no injection of entropy. An example
is ISO/IEC 9796-2:2002 Digital signature scheme 1,
a deterministic digital signature scheme.

Such schemes are very useful because they do not allow a
subliminal channel that the signer could use for
nefarious purposes. Two examples:
- You want to know that this signing black box you purchased,
  accepting (private key, message) and producing a signature
  using an ASIC, does not leak the private key in the
  signature (you also need to guard against other leaks,
  e.g. timing).
- You want to know that this anonymous timestamping web
  service does not embed your IP in the timestamp (although
  admitedly, you can't rule out that it keeps and secretly
  sells a log of the IP associated with each timestamp
  produced).

For RSA-based digital signature schemes, it is possible to
turn a good scheme with injection of entropy into a good
deterministic scheme: replace the entropy by a pseudo random
function of the message, and have that added information
checked by the verifier.

PKCS#1v2 (which recommands RSASSA-PSS, a probabilistic signature
scheme) acknowledges that:
  RSASSA-PSS is different from other RSA-based signature schemes
  in that it is probabilistic rather than deterministic,
  incorporating a randomly generated salt value. The salt value
  enhances the security of the scheme by affording a "tighter"
  security proof than deterministic alternatives such as Full
  Domain Hashing (..)
  However, the randomness is not critical to security. In
  situations where random generation is not possible, a fixed
  value or a sequence number could be employed instead, with
  the resulting provable security similar to that of FDH (..)


  Francois Grieu

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list