Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

What kind of RSA signature scheme is this?

1 view

Skip to first unread message

Jacques Dilbert

unread,

Apr 14, 2003, 11:45:36 AM4/14/03

The message m to be signed is mapped to the
following quantity (that is input to RSA encryption):

00 || MD5-Hash(m) || 00 ... 00
(padded on the right with 00 up to the RSA modulus length).

I believe no signature standard implements this
(I checked with X9.31, PKCS #1, ISO 9796).

Is this the Bellare-Rogaway FDH scheme ?
(FDH=Full Domain Hashing).

Thanks for any clue.

David Wagner

unread,

Apr 14, 2003, 8:47:59 PM4/14/03

Jacques Dilbert wrote:
>The message m to be signed is mapped to the
>following quantity (that is input to RSA encryption):
>
>00 || MD5-Hash(m) || 00 ... 00
>(padded on the right with 00 up to the RSA modulus length).

What kind of signature scheme is this? An insecure one.
(Look for semi-smooth numbers, and exploit homomorphic properties.)

Ok, that was a little joke, but as far as I know, it's not a standard.
I sure hope it's not a standard. I seem to remember that an early
version of Digicash's ecash protocol may have used this scheme; If I
remember correctly, I think Ian Goldberg and I showed an attack, and
they changed it. Or maybe I'm hallucinating.

>Is this the Bellare-Rogaway FDH scheme ?
>(FDH=Full Domain Hashing).

Nope.

0 new messages