[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested changes for DSA2, take 4

To: ben@xxxxxxxxxxxxx, ietf-openpgp@xxxxxxx
Subject: Re: Suggested changes for DSA2, take 4
From: hal@xxxxxxxxxx ("Hal Finney")
Date: Wed, 29 Mar 2006 10:45:30 -0800 (PST)
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

Ben Laurie writes:
> Slightly late to the party here, but I should note that hash truncation
> is not an operation that is thoroughly approved of. In particular I
> would worry that if it is permitted a cunning attacker might be able to
> choose a new q s.t. the signature still validated on a much shorter
> version of the hash, and thus show a valid signature on the wrong
> document. I would therefore suggest that we do _not_ permit arbitrary
> truncation of hashes.

I don't understand what you are proposing here.  To choose a new q means
to create a new key: a new (p, q, g, x, y) tuple.  Then you are worried
that an existing (r, s) signature could be made to work with this new key?
I don't see why this would be a concern even if it worked; and it could be
eliminated by checking that r and s are < q, which you should do anyway.

The NIST standard supports arbitrary truncation of (strong) hashes, and
if it were that risky I doubt very much that it would have gotten in.
John Kelsey at NIST is one of the top people in the field today and I
am sure this has been reviewed by him and other cryptographers.

Hal Finney

Follow-Ups:
- Re: Suggested changes for DSA2, take 4
  - From: Ben Laurie

Prev by Date: Re: Suggested changes for DSA2, take 4
Next by Date: Re: Suggested changes for DSA2, take 4
Previous by thread: Re: Suggested changes for DSA2, take 4
Next by thread: Re: Suggested changes for DSA2, take 4
Index(es):
- Date
- Thread