On Fri, Oct 23, 2015 at 02:08:58PM -0700, Jeffrey Walton wrote: > > I would still recommend changing the Java code to use hashed signature. > > ..so forgive me if I'm missing something obvious (like the use case :).. > > Hashing a message before signing it is one of the earliest public key > discoveries and attacks. Bernstein has a very good history on the subject > at "RSA signatures and Rabin???Williams signatures: the state of the art", > http://cr.yp.to/sigs/rwsota-20080131.pdf. > > My apologies if your problem domain takes you in another direction.
Signatures with no hash applied to the message is a valid specific problem domain like DAA, U-Prove, Idemix. Hash is only used there to produce an unpredictable challenge for non-interactive variant of a proof system. Consider a message to be a set of user attributes. No ASN.1 encoding and hashing, just integers. In case of U-Prove, field elements, residues modulo a prime order of a group. Hashing attributes together would defeat algebraic relations at the core of non-interactive proofs, resulting in no "selective information disclosure" property of attributes signed. I'm writing this to avoid over-generalizing hash-and-sign approach. Vadym Fedyukovych -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
