Question

In: Advanced Math

When using secure hash functions in an RSA signature, why do we sign the hash Sign...

When using secure hash functions in an RSA signature, why do we sign the hash Sign (H (m)) instead of taking the take the hash H (Sign (m)) ?

Solutions

Expert Solution

If you have a message m>N with N being the RSA modulus, then you have to perform at least 2 RSA signatures as m does not longer fit into ZN. Let us assume that it requires k such signatures and write the message m=(m1,…, mk) and the overall signature will be σ=(σ1, …, σk), i.e., k RSA signatures. Now without any additional measures anyone getting to hold (m, σ) can manipulate the message and adopt the signature by 1) swapping any pair of submessage mi, 1 ≤ i ≤ k and corresponding subsignature σi or 2) dropping a submessage and corresponding subsignature.

As an example for swapping lets say we have m=(m1, m2, m3) and thus σ=(σ1, σ2, σ3), i.e., 3 indepenendet RSA signatures for a message consisting of 3 blocks, then an adversary who gets (m, σ) can simply swap, for instance to m' = (m2, m3, m1) and σ′=(σ2, σ3, σ1), which is a forgery, as it clearly is a valid signature.

Existential forgery

If you do not use a redundancy scheme for messages prior to signing within RSA, they are susceptible to existential forgeries. Let (e, N) be the public signature verification key of RSA, then one can randomly choose a signature σ ∈ ZN and compute the corresponding message as m≡σe(modN).

Note that given an RSA signature σ, a message m and a public verification key (e,N), the signature verification for the textbook RSA signature will be to check: m≡ σ^e(modN).

Clearly, this check will hold for the forgery by construction. Observe, however, that the adversary can not control what the message m will exactly be. In particular, it will be a random element of ZN. However, this may be sufficient in some applications, e.g., when only signing random numbers when issuing some tokens. Applying a redundancy scheme to messages, i.e., hashing and padding prior to signing, renders so computed forged signatures useless in practice.

Final Remarks

Consequently, textbook RSA signatures must not be used and instead standardized padding methods for RSA involving hashing and padding the message must be used. Then, RSA signatures provide strong security guarantees (UF-CMA security).


Related Solutions

Which property of secure hash functions—one-way, weak collision-resitance, or strong collision-resistance—make them useful in the context...
Which property of secure hash functions—one-way, weak collision-resitance, or strong collision-resistance—make them useful in the context of password security? What is a password dictionary? Can it be used to improve password security? What is the motivation for limiting the password age? In particular, why would you enforce a maximum age? Why would you want to set a minimum age?
Do not answer using a percent sign, a dollar sign or with a number containing commas....
Do not answer using a percent sign, a dollar sign or with a number containing commas. For the questions involving rates, you can answer as a percent (for example 10) or as a decimal (for example 0.1). 1.4 Assume you purchased a share of stock for $80 on January 1, 2008 and sold the share of stock for $30 on December 31, 2012. If the stock paid no dividends what your average yearly growth rate? 1.5 Suppose the average growth...
Do not answer using a percent sign, a dollar sign or with a number containing commas....
Do not answer using a percent sign, a dollar sign or with a number containing commas. For the questions involving rates, you can answer as a percent (for example 10) or as a decimal (for example 0.1). 1.1 Suppose you purchased 100 shares of stock for $40 on January 1, 2003 and sold the share of stock for $100 on December 31, 2012. If the stock paid no dividends what is your holding period return? 1.2 Suppose you purchased 100...
why do we use complete induction and why do we use structual induction? When should we...
why do we use complete induction and why do we use structual induction? When should we use complete or structual?
Please Answer 4.4.2: Do you see any problems with the choice of hash functions in Exercise...
Please Answer 4.4.2: Do you see any problems with the choice of hash functions in Exercise 4.4.1? What advice could you give someone who was going to use a hash function of the form h ( x ) = ax + b mod 2 k ? Exercise 4.4.1: Suppose our stream consists of the integers 3, 1, 4, 1, 5, 9, 2,6, 5. Our hash functions will all be of the form h (x) = ax+b mod 32 for some...
What is a friend function? Do we have to use friend functions? Explain why or why...
What is a friend function? Do we have to use friend functions? Explain why or why not. c++
Why do we keep a petty cash fund. What do we debit and credit when we...
Why do we keep a petty cash fund. What do we debit and credit when we replenish it? How does a bank reconciliation help us control cash?
We had an example in class about using a sign test. We are supposed to find...
We had an example in class about using a sign test. We are supposed to find the b value by using the binomial table. b(alpha,n,1/2) which for this problem equals b(.05,10,1/2). When you use the binomial table, the b(.05,10,1/2) = 8. How do you use the binomial table to get 8 for the b value?
what we should do to protect and secure Web Site and Web Application
what we should do to protect and secure Web Site and Web Application
1. When we (humans) exercise we need energy. Why do we need this energy? Where do...
1. When we (humans) exercise we need energy. Why do we need this energy? Where do we get this energy from? Certain tissues which account for 40-50% of our body mass utilize a lot of energy and are especially important in exercise. Describe in detail how the “energy” gets to this tissue and how it is utilized by this tissue during low and vigorous exercise. What happens when the tissue does not have enough “energy” and when would a situation...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT