[Cryptography] Signature Hashing Choices ... So Many Choices ...
Andrew Donoho
awd at ddg.com
Thu Oct 19 09:38:50 EDT 2017
Gentlefolk,
Once again I come with what appears to me to be a simple design choice informed by implementation realities. But in the world of crypto, there are always unseen by me issues. Thank you in advance for any insight you care to share.
The scene:
I want to sign a BLOB for a counter party. What constitutes the hash we sign? Normally, I would hash the identifying preamble information followed by the bytes of the BLOB, hash(preamble || BLOB). Life is good. That would be the preferred pattern and I would normally be happy with that.
In this situation though, we must factor in time. The BLOB could be quite large and, for good legal reasons, I’m requiring that it must be completely under my control before countersigning. For scaling purposes though, I do not have all of the preamble information when the BLOB is being uploaded. Calculating the hash of the BLOB could take some time. An answer would be to calculate the hash as the BLOB arrives and use that hash in the signature hash. As in hash the identifying preamble information followed by the hash of the BLOB, hash(preamble || hash(BLOB)). This, of course, results in a different hash value.
hash(preamble || BLOB) != hash(preamble || hash(BLOB))
To my cryptographically unsophisticated eye, they look to be equivalently secure. Are they? My trusty copy of "Cryptography Engineering" appears to be silent on this issue. Any opinions?
Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho
Doubt is not a pleasant condition, but certainty is absurd.
— Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171019/4bc8a928/attachment.html>
More information about the cryptography
mailing list