ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Shamir's Discrete Logarithm Hash

2003-11-18 10:48:30
from [vedaal] [Permanent Link] 



On Mon, 17 Nov 2003 14:32:37 -0800 David Shaw <dshaw(_at_)jabberwocky(_dot_)com>
wrote:

[...]


I don't feel qualified to argue for or against the SDLH in terms
of
its security.  I do, however, argue that any new algorithm needs
more
than one web page describing it before it should be included in
OpenPGP.  There just aren't enough "inches of paperwork" yet.

There was a very interesting thread about the SDLH and the Pure
Crypto
project on the cryptography mailing list a few months ago.
http://www.mit.edu:8008/bloom-picayune/crypto/13163


Thanks, was a very interesting thread!

the only potential practical flaw that was mentioned in the thread, was
that by Peter Wayner, in the event that a signer could be tricked into

signing a specially constructed message,

this could easily be avoided by implementing the hash to have the signer
routinely add some 'salt' 
at the end of the message, after a disclaimer line saying:
"this added line is not part of the content of the message but is added
to avoid certain cryptographic attacks."

a similar approach could also be used by adding a line of plaintext to
an rsa encrypted message, and then signing the 
[rsa message + plaintext line ] 
and avoid a Ross Anderson type attack in those instances where the signature
is on an encrypted rsa message itself.

there is a 'proof' of security by Ron Rivest mentioned in the thread,


and while i agree with you, that it is not yet widely tested / studied
enough to be blanketly accepted as 'secure'

still,
perhaps then, it might find a place as  one of those 
'off-the-beaten-path' niceties offered in gnupg,
as a way to verify pcp signed messages using v3 keys

(with the appropriate cautions like,
"warning, hash not yet fully extensively evaluated by cryptographic community",
 etc.)

and then, as it 'does' get off the ground and get used, and evaluated,

then it will either have a vulnerability found,
or found to be a nice hash function of relatively predictable practical
durability,
(as long as the key size is considered 'secure')


anyway,
just a thought for those periods of 'lull-time' on this list ;-)


vedaal









Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Shamir's Discrete Logarithm Hash, vedaal <=
Previous by Date:  Re: Shamir's Discrete Logarithm Hash // for possible inclusion into open-pgp ?, David Shaw
Next by Date:  I-D ACTION:draft-ietf-openpgp-rfc2440bis-09.txt, Internet-Drafts
Previous by Thread:  private key CFB, Douglas Maus
Next by Thread:  I-D ACTION:draft-ietf-openpgp-rfc2440bis-09.txt, Internet-Drafts
Indexes:  [Date] [Thread] [Top] [All Lists]