Cryptography Reference
In-Depth Information
then
=
k
−
3
−
n,
(17.7)
and for the number
n
of data bytes, it follows that
n
≤
k
−
11
.
(17.8)
The minimum number
8
≤
of filler bytes is required for encryption for
reasons of security. It is thus possible to prevent an attacker from attaching a
catalog of encrypted messages to a public key and comparing the result with a
given encrypted text to determine the plain text without knowing the associated
secret key.
9
In particular, when one and the same message is encrypted with several keys,
it is important that the
PS
i
be random numbers that are determined anew for
each encryption operation.
In the signing case the data bytes
D
i
are typically constructed from an
identifier for a hash function
H
and the value
H
(
M
)
of this hash function (called
the
hash value
), which represents the text
M
to be signed. The resulting data
structure is called the
DigestInfo
. The number of data bytes depends in this
case on the constant length of the hash value, independent of the length of the
text. This is particularly advantageous when
M
is much longer than
H
(
M
)
.We
shall not go into the precise process for the construction of the data structure
DigestInfo
, but simply assume that the data bytes correspond to the value
H
(
M
)
(but see in this connection [RDS1]).
From the cryptographic point of view there are several fundamental
requirements to place on hash functions so as not to diminish the security of
a redundancy scheme based on such a function and thereby call the entire
signing procedure into question. When we consider the use of hash and
redundancy functions in connection with digital signatures and the possibilities
for manipulating them that might arise, we observe the following:
In accordance with our considerations thus far, we start with the assumption
that a digital signature with appendix relates to a redundancy
R
=
µ
(
M
)
whose
principal component is the hash value of the text to be signed. Two texts
M
and
M
for which
H
(
M
)=
H
(
M
)
, and consequently
µ
(
M
)=
µ
(
M
)
, possess
the same signature
S
=
R
d
=
µ
(
M
)
d
=
µ
(
M
)
d
mod
n
. The recipient of a
signature to the text
M
could now conclude that the signature actually refers
to the text
M
, which in general would be contrary to the intent of the sender.
Likewise, the sender could assume actually to have signed the text
M
. The point
here is that texts
M
=
M
with
H
(
M
)=
H
(
M
)
always exist, due to the fact
9
We have already mentioned the attack of Boneh, Joux, and Nguyen.
