I have an implementation of 183 bits - I suppose it could be shortened to 160 but then the strength is severely limited.
The original strength is not retained, i.e. the shortened signature *is* weaker than the original, but depending on the application it may suffice. Please see http://www.axantum.com/AxCrypt/etc/Axantum-Strong-Licensing.pdfwhich describes how the implementation in terms of software licensing works, and lists some references that were used for this implementation. The actual implementation of the validation is available as open source under GPL. The signature tools are not open source at this time. If anyone spots a more severe weakness than the obvious one of the shortened hash, I'd of course be interested to know. Svante On Wed, Mar 16, 2011 at 4:08 PM, Chris Garbers <[email protected]> wrote: > cannot talk much about the application as such, but I have a byte- > oriented structure which is limited in size, and need to ensure that > the structure is authentic to the originator. Thus I thought EC > signature was about the only thing appropriate, however even that > seems to be too long, as I only have 20 bytes space left for the > signature. > > The counterpart verifying it, must not have posession any secret key, > thus I thought HMAC would be out of question. > > Chris > > On 16 Mrz., 13:52, Geoff Beier <[email protected]> wrote: > > Can you talk about what you're trying to accomplish? It sounds like > > maybe you're trying to use a signature where a truncated HMAC would be > > more appropriate. > > > > Geoff > > > > > > > > > > > > > > > > On Wed, Mar 16, 2011 at 07:24, Chris Garbers <[email protected]> wrote: > > > My bad. I think signatures cannot be shorter than the key, thus in the > > > example the signature will always be 28 bytes regardless of the hash > > > digest. > > > > > Instead, one would have to use a different curve definition with a > > > shorter key. > > > > > Chris > > > > > On 14 Mrz., 15:44, skubo <[email protected]> wrote: > > >> Hello Everyone, > > > > >> I'm fairly new to crypto++, so bare my potentially silly question: > > > > >> I need to calculate a signature with an eliptic curve dsa scheme, > > >> using SHA-1 hash. The issue is that space for the signature is > > >> limited, so I need to truncate the SHA-1 digest in order to reduce > > >> resulting signature length (yes, I know that the overall resulting > > >> security of the hash is lower, but that is accepted). I have found > > >> some methods in the SHA implementation for that, however I'm stuck on > > >> how I could use this together with ECDSA templates like in the example > > >> below. > > > > >> ECDSA<ECP, SHA1>::PrivateKey key; > > >> key.Load(...); > > >> ECDSA<ECP,SHA1>::Signer signer(key); > > > > >> StringSource( message, true, > > >> new SignerFilter( prng, > > >> signer, > > >> new StringSink( signature ) > > >> ) // SignerFilter > > >> ); // StringSource > > > > >> // signature is always resulting in 28 bytes length for e.g. secp112r1 > > > > >> Can anyone pinpoint me to the right direction? Any examples in how to > > >> calculate this signature with a truncated hash digest, so that the > > >> above signature would result in - say 20 bytes? > > > > >> Regards > > >> Chris > > > > > -- > > > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > > > To unsubscribe, send an email to > [email protected]. > > > More information about Crypto++ and this group is available athttp:// > www.cryptopp.com. > > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com.
