RE: [Cfrg] On using ROs for analyzing randomness extraction functions

["Ilya Mironov" <mironov at microsoft.com>]

> > to prove.  We wouldn't say that the "hash-then-sign" task is
impossible
> in
> > reality, even though it is true that there do exist
(contrived-looking)
> > trapdoor permutations that interact with SHA256 badly enough to make
> > "hash-then-sign" insecure with those trapdoor permutations.
> 
> Could you provide a reference to or sketch of what such a function
might
> look
> like? I gave it a bit of thought and couldn't see any way of creating
a
> trapdoor such as you describe, so now I'm curious.

For the record, a (full domain)hash-and-sign signature based on a
trapdoor permutation cannot be proved secure in the standard model by a
blackbox reduction, as showed recently by Yevgeniy Dodis, Roberto
Oliveira and Krzystof Pietrzak in "On the Generic Insecurity of the Full
Domain Hash" (Crypto'05).

--Ilya

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg