Re: [Cfrg] On using ROs for analyzing randomness extraction functions

[Jack Lloyd <lloyd at randombit.net>]

On Fri, Oct 28, 2005 at 02:55:14PM -0700, David Wagner wrote:
> Jack Lloyd writes:
> >David Wagner writes:
> >> there do exist (contrived-looking)
> >> trapdoor permutations that interact with SHA256 badly enough to make
> >> "hash-then-sign" insecure with those trapdoor permutations.
> >
> >Could you provide a reference to or sketch of what such a function might look
> >like? I gave it a bit of thought and couldn't see any way of creating a
> >trapdoor such as you describe, so now I'm curious.
> 
> Hmm.  Here's a boring one.  Let (d,n) be a RSA private key.
>     Trapdoor(X):
>     1. If X=SHA256(0), output d.
>     2. Otherwise, output X^d mod n.
> Note that Sign(M) = Trapdoor(SHA256(M)) is insecure in the real world
> (just ask for a signature on the all-zeros message), but Sign(M) =
> Trapdoor(H(M)) is secure in the random oracle model.

Makes sense, thanks. My confusion came about because I assumed that the scheme
you referred to was one that would be insecure for arbitrary inputs (or at
least a large set of inputs) if used as a signature scheme with one (previously
selected) secure hash function but secure if instantiated with a different
secure hash function.

-Jack

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg