[Top] [All Lists]

Re: How to Calculate Signatures?

2005-04-03 12:32:15

Ben Laurie writes:
The hash does include the ID of the hash, and hence the signature does.

Unfortunately, that doesn't protect against the attack.  The ID of SHA-1
is 2 and the ID of RIPEMD-160 is 3.  If SHA-1 were broken badly enough
it's entirely possible that we could find m1 and m2 such that:

SHA1 (2 || m1) == RIPEMD160 (3 || m2).

The mere fact that you feed the hash algorithm ID into the hash algorithm
doesn't stop you from finding collisions with a different, broken hash

The situation is different with RSA, where you do:

RSA_Sign (Alg ID || Hash).

Now, it is impossible to get collisions using two different algorithm ID's
because the algorithm ID is outside the hash.