ietf-openpgp
[Top] [All Lists]

Re: How to Calculate Signatures?

2005-04-03 14:22:49

Hal Finney wrote:

Unfortunately, that doesn't protect against the attack.  The ID of SHA-1
is 2 and the ID of RIPEMD-160 is 3.  If SHA-1 were broken badly enough
it's entirely possible that we could find m1 and m2 such that:

SHA1 (2 || m1) == RIPEMD160 (3 || m2).

The mere fact that you feed the hash algorithm ID into the hash algorithm
doesn't stop you from finding collisions with a different, broken hash
algorithm.


Which would seem to be mildly supportive of locking
DSA with SHA1?

The situation is different with RSA, where you do:

RSA_Sign (Alg ID || Hash).

Now, it is impossible to get collisions using two different algorithm ID's
because the algorithm ID is outside the hash.


And this would seem to suggest that rather than
tinkering with DSA, we should prefer a completely
new signature algorithm?

iang

--
News and views on what matters in finance+crypto:
        http://financialcryptography.com/