Re: [cryptography] RSA signatures without padding

2015-07-12 Thread Jonathan Katz
On Fri, Jul 10, 2015 at 7:42 PM, Filip Paun paunfi...@gmail.com wrote: Hello, Thank you for your feedback. Please see my comments below. On Fri, Jul 10, 2015 at 3:59 PM, Jonathan Katz jk...@cs.umd.edu wrote: On Fri, Jul 10, 2015 at 4:15 PM, Filip Paun paunfi...@gmail.com wrote: Suppose I

Re: [cryptography] RSA signatures without padding

2015-07-10 Thread Filip Paun
Hello, Thank you for your feedback. Please see my comments below. On Fri, Jul 10, 2015 at 3:59 PM, Jonathan Katz jk...@cs.umd.edu wrote: On Fri, Jul 10, 2015 at 4:15 PM, Filip Paun paunfi...@gmail.com wrote: Suppose I have a message M for which I generate an RSA-2048 digital signature as

[cryptography] RSA signatures without padding

2015-07-10 Thread Filip Paun
Suppose I have a message M for which I generate an RSA-2048 digital signature as follows: H = SHA-256(M) S = H^d mod N Assume N = p*q is properly generated and d is the RSA private key. And I verify the signature as follows: S^e mod N == H' where H' is the SHA-256 of the message to be

Re: [cryptography] RSA signatures without padding

2015-07-10 Thread Alexandre Anzala-Yamajako
This paper probably helps answering part of your question : http://www.iacr.org/archive/crypto2000/18800229/18800229.pdf Note that you can't replace a random oracle by SHA256 but you might have better luck with HMAC-SHA256 (https://eprint.iacr.org/2013/382.pdf)

Re: [cryptography] RSA signatures without padding

2015-07-10 Thread Jeffrey Walton
Suppose I have a message M for which I generate an RSA-2048 digital signature as follows: H = SHA-256(M) S = H^d mod N Assume N = p*q is properly generated and d is the RSA private key. And I verify the signature as follows: S^e mod N == H' where H' is the SHA-256 of the

Re: [cryptography] RSA signatures without padding

2015-07-10 Thread Michael Greene
It is my understanding that, on a very basic level, using RSA without padding allows computing “valid” signatures for new messages by combining two existing signatures, because a^d * b^d == (a * b) ^ d The use of sha256 in this case probably makes this task slightly more annoying, but by no

Re: [cryptography] RSA signatures without padding

2015-07-10 Thread Jonathan Katz
On Fri, Jul 10, 2015 at 4:15 PM, Filip Paun paunfi...@gmail.com wrote: Suppose I have a message M for which I generate an RSA-2048 digital signature as follows: H = SHA-256(M) S = H^d mod N Assume N = p*q is properly generated and d is the RSA private key. And I verify the signature