Randomized hashing

Ingo Klöcker kloecker at kde.org
Fri Nov 28 22:15:51 CET 2014


On Thursday 27 November 2014 17:10:08 NdK wrote:
> Il 27/11/2014 11:28, Peter Lebbing ha scritto:
> 
> [Resending to list]
> 
> > Perhaps I should add that it takes real research and formal proof to show
> > that this randomized hashing doesn't add attack vectors, and I have been
> > glossing over that. But that is because at a glance it looks like such
> > research has been done. That doesn't mean it's a fact that there are no
> > significant attack vectors, but it does give the scheme credibility.
> 
> Well, I'm no expert, but it gives me the feeling of being potentially
> dangerous, since once the attacker have your signature for a document
>   s=E(Prk, H(RMX(M,r))) , r
> (note that r is not signed, as the rhash scheme suggests and the paper
> confirms!) he *might* be able to calculate r' so that RMX(M',r') ==
> RMX(M,r) then 'recycle' your signature for M'. Remember that RMX is
> proposed to be a simple block-xor! For very short (less than a single
> hash block) messages it's trivial, if I'm not badly mislead by the
> graphic description in the site:
> RMX(0, 1) == RMX(1, 0)

I think you missed that according to the diagram RMX(M, r) = (r, ...), i.e. it 
starts with r. Consequently, RMX(M',r') = RMX(M,r) => (M',r') = (M,r), i.e. 
RMX is injective.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141128/edd9d9df/attachment-0001.sig>


More information about the Gnupg-users mailing list