On Thursday 27 November 2014 17:10:08 NdK wrote: > Il 27/11/2014 11:28, Peter Lebbing ha scritto: > > [Resending to list] > > > Perhaps I should add that it takes real research and formal proof to show > > that this randomized hashing doesn't add attack vectors, and I have been > > glossing over that. But that is because at a glance it looks like such > > research has been done. That doesn't mean it's a fact that there are no > > significant attack vectors, but it does give the scheme credibility. > > Well, I'm no expert, but it gives me the feeling of being potentially > dangerous, since once the attacker have your signature for a document > s=E(Prk, H(RMX(M,r))) , r > (note that r is not signed, as the rhash scheme suggests and the paper > confirms!) he *might* be able to calculate r' so that RMX(M',r') == > RMX(M,r) then 'recycle' your signature for M'. Remember that RMX is > proposed to be a simple block-xor! For very short (less than a single > hash block) messages it's trivial, if I'm not badly mislead by the > graphic description in the site: > RMX(0, 1) == RMX(1, 0)
I think you missed that according to the diagram RMX(M, r) = (r, ...), i.e. it starts with r. Consequently, RMX(M',r') = RMX(M,r) => (M',r') = (M,r), i.e. RMX is injective. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
