Signer to NONEwithECDSA

[Andrés Garagiola]

Hello,

What is the right way of create a signer to support signature equivalent to the generated by java algorithm name "NONEwithECDSA"?

 

CryptoPP::ECDSA<CryptoPP::ECP,CryptoPP::SHA1>::Signer signer(privateKey); 

The above example is equivalent to SHA1withECDSA but I don't know how generate a signature like generated by NONEwithECDSA on Java.

Thanks

Regards

[Mobile Mouse]

I don't think Crypto++ supports a null-hash there, and would personally never use NONEwithWhatever signing algorithm...

Sent from my iPad

--
--
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to cryptopp-user...@googlegroups.com.
More information about Crypto++ and this group is available at http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrés Garagiola]

Yes you are right.

I found a solution anyway implementing a subclass of IteratedHashWithStaticTransform called "NoneHash" with this method implementation to 32 bytes digest.

void NoneHash::Transform(CryptoPP::word32 *state, const CryptoPP::word32 *data)

{

state[0] = data[0];

state[1] = data[1];

state[2] = data[2];

state[3] = data[3];

state[4] = data[4];

state[5] = data[5];

state[6] = data[6];

state[7] = data[7];

}

Regards

[Mobile Mouse]

It is excellent that you've found a solution - and thanks for posting it. 

I would still recommend changing the Java code to use hashed signature. 

Sent from my iPad

[Jeffrey Walton]

I would still recommend changing the Java code to use hashed signature. 

I'm just bike shedding and working in a vacuum, so forgive me if I'm missing something obvious (like the use case :). But I have to agree with Uri.

Hashing a message before signing it is one of the earliest public key discoveries and attacks. Bernstein has a very good history on the subject at "RSA signatures and Rabin–Williams signatures: the state of the art", http://cr.yp.to/sigs/rwsota-20080131.pdf.

My apologies if your problem domain takes you in another direction.

[Vadym Fedyukovych]

On Fri, Oct 23, 2015 at 02:08:58PM -0700, Jeffrey Walton wrote:
> > I would still recommend changing the Java code to use hashed signature.
>

> ..so forgive me if I'm missing something obvious (like the use case :)..

>
> Hashing a message before signing it is one of the earliest public key
> discoveries and attacks. Bernstein has a very good history on the subject

> at "RSA signatures and Rabin???Williams signatures: the state of the art",

> http://cr.yp.to/sigs/rwsota-20080131.pdf.
>
> My apologies if your problem domain takes you in another direction.

Signatures with no hash applied to the message
is a valid specific problem domain like DAA, U-Prove, Idemix.
Hash is only used there to produce an unpredictable challenge
for non-interactive variant of a proof system.

Consider a message to be a set of user attributes.
No ASN.1 encoding and hashing, just integers.
In case of U-Prove, field elements, residues modulo a prime order of a group.

Hashing attributes together would defeat algebraic relations
at the core of non-interactive proofs,
resulting in no "selective information disclosure" property
of attributes signed.

I'm writing this to avoid over-generalizing hash-and-sign approach.

Vadym Fedyukovych