Lewis McCarthy (lmccarth@cs.umass.edu)
Sat, 04 Apr 1998 18:49:38 -0500
Werner Koch writes:
> I'm using ElGamal signatures and wondering what are the advantages of
> packing the Hash into a structure of FF-padding, an ASN-OID and the Hash
> (this is the way PGP does it). None of the values aside of the Hash
> are used because the Hash algorithm is known from other fields in the
> packet. The big drawback is, that I have to do the calculation on a (say)
> 1024 bit number instead of an 160 bit number (the Hash) - PGP 5 only uses
> the 160 bit Hash (due to DSA).
I'm guessing that PGP uses some variant of PKCS #1 for the format of
data signed with ElGamal. (The OpenPGP draft I found only talks about
RSA and DSA signatures, and I didn't find any kind of PGP 5-related
technical spec at www.nai.com)
Block type 01, the type recommended for private-key RSA operations in
PKCS #1, uses FF padding to preclude a chosen ciphertext attack due to
Desmedt and Odlyzko (see the Notes in PKCS #1). The attack derives
from index-calculus discrete log algorithms, and thus the attacker
needs to obtain p^d for all primes p in a factor base.
The factor base includes all primes below a certain smoothness bound.
Inclusion of the FF padding octets near the high-order bits of each
payload forces the payload to be larger than any smoothness bound the
attacker might find useful.
-- Lewis http://www.cs.umass.edu/~lmccarth/ "He's a little stiff, but then so are most engineers" -Robots Rising
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:51 ADT