Re: [Cfrg] On using ROs for analyzing randomness extraction functions

[Jack Lloyd <lloyd at randombit.net>]

On Fri, Oct 28, 2005 at 02:14:36PM -0700, David Wagner wrote:

[...]

> Let me try an analogy.  When we analyze "hash-then-sign" (FDH signatures)
> in the RO model, our RO idealization implicitly assumes that the
> trapdoor permutation is independent of the choice of H.  That's an
> assumption that is never proved; and one has to look at the real world
> scheme and guess whether the assumption is met.  But if we take, say,
> a FDH signature where we hash with SHA256 and then sign with raw RSA, it
> boggles the imagination that there could be any bad interaction between
> SHA256 and RSA.  Consequently, the "no bad interactions" looks like a
> fairly plausible assumption, even though it is not something we know how
> to prove.  We wouldn't say that the "hash-then-sign" task is impossible in
> reality, even though it is true that there do exist (contrived-looking)
> trapdoor permutations that interact with SHA256 badly enough to make
> "hash-then-sign" insecure with those trapdoor permutations.

Could you provide a reference to or sketch of what such a function might look
like? I gave it a bit of thought and couldn't see any way of creating a
trapdoor such as you describe, so now I'm curious.

-Jack

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg