Perhaps I should add that it takes real research and formal proof to show that this randomized hashing doesn't add attack vectors, and I have been glossing over that. But that is because at a glance it looks like such research has been done. That doesn't mean it's a fact that there are no significant attack vectors, but it does give the scheme credibility.
Here's the abstract of the first paper on [1], by the way: > We propose randomized hashing as a mode of operation for cryptographic hash > functions intended for use with standard digital signatures and without > necessitating of any changes in the internals of the underlying hash function > (e.g., the SHA family) or in the signature algorithms (e.g., RSA or DSA). The > goal is to free practical digital signature schemes from their current > reliance on strong collision resistance by basing the security of these > schemes on significantly weaker properties of the underlying hash function, > thus providing a safety net in case the (current or future) hash functions in > use turn out to be less resilient to collision search than initially > thought. We design a specific mode of operation that takes into account > engineering considerations (such as simplicity, efficiency and compatibility > with existing implementations) as well as an- alytical soundness. > Specifically, the scheme entails unmodified use of the hash function with > randomization applied only to the message before it is input to the hash > function. We formally show the sufficiency of an assumption significantly > weaker than collision-resistance for proving the security of the scheme. We > also contribute to the standardization of a randomized hashing mode by > providing a full and detailed spec that instantiates our scheme, provides the > full benefits guaranteed by our results, and is ready for implementation and > integration with existing applications. Peter. [1] http://webee.technion.ac.il/~hugo/rhash/ -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
