On Fri, Jul 10, 2015 at 4:15 PM, Filip Paun <paunfi...@gmail.com> wrote: > Suppose I have a message M for which I generate an RSA-2048 digital > signature as follows: > > H = SHA-256(M) > S = H^d mod N > > Assume N = p*q is properly generated and d is the RSA private key. > > > And I verify the signature as follows: > > S^e mod N == H' > > where H' is the SHA-256 of the message to be authenticated. Assume e is the > RSA public key. > > Since I've not used any padding then are there any flaws with the above > approach? What if e = 3? What if e = 2^16+1? > > Your guidance is much appreciated. > > Thank you, > Filip
This is a bad idea. Note that the Full-Domain Hash (FDH) signature scheme would use a hash mapping the message to all of Z*_N, where here you have a hash mapping to the (much smaller) space of 256-bit strings. The problem is that this makes attacks based on factoring H(m) (in your case a 256-bit number rather than a 2048-bit number) and then using multiplicative properties of RSA much easier. The size of e is irrelevant. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography