On Fri, Oct 23, 2015 at 02:08:58PM -0700, Jeffrey Walton wrote:
> > I would still recommend changing the Java code to use hashed signature.
>
> ..so forgive me if I'm missing something obvious (like the use case :)..
>
> Hashing a message before signing it is one of the earliest public key
> discoveries and attacks. Bernstein has a very good history on the subject
> at "RSA signatures and Rabin???Williams signatures: the state of the art",
Signatures with no hash applied to the message
is a valid specific problem domain like DAA, U-Prove, Idemix.
Hash is only used there to produce an unpredictable challenge
for non-interactive variant of a proof system.
Consider a message to be a set of user attributes.
No ASN.1 encoding and hashing, just integers.
In case of U-Prove, field elements, residues modulo a prime order of a group.
Hashing attributes together would defeat algebraic relations
at the core of non-interactive proofs,
resulting in no "selective information disclosure" property
of attributes signed.
I'm writing this to avoid over-generalizing hash-and-sign approach.
Vadym Fedyukovych