Vedaal writes:
Shamir's Discrete Logarithm Hash was recently implemented by Ralf Senderek
in a new small crypto program, PCP (Pure Crypto Project)
(hash description is here:)
http://senderek.de/SDLH/
It's security properties are a little unusual, in that the creator of
the hash function can forge collisions. Senderek has the creator be
the signer, which seems to work OK, but it is still different enough
from traditional hashes that it makes me wonder.
Traditionally, signature security proofs are based on a random oracle
model, while this hash function is like a random oracle with a trap door.
I don't know if there exist security proofs for that arrangement.
(although it won't work for dh keys ;-( )
I don't see why it can't. The hash's RSA modulus has nothing to do
with the signature key.
Hal Finney