From: Skybuck Flying on
Hello,

I was thinking about using RSA for it's signature capabilities... it's
important that messages are signed... the messages themselfes can be out in
the open... so encryption/decryption is not really needed and could actually
make it less secure for small messages and require extra work for padding.

I skimmed over this document for digital signatures, which mentions "plain"
rsa signatures are kinda weak ?!?:

http://en.wikipedia.org/wiki/Digital_signature

And also this document for RSA which mentions the padding:

http://en.wikipedia.org/wiki/RSA

What I really want is "digital signatures" for people to use, so that they
can identify themselfes as being the same/true/real source of many messages.

So I wonder what the best/strongest digital signature algorithm is ?

Any idea's ?!?

Bye,
Skybuck.



From: Scott Contini on
On May 7, 2:33 pm, "Skybuck Flying" <IntoTheFut...(a)hotmail.com> wrote:
> Hello,
>
> I was thinking about using RSA for it's signature capabilities... it's
> important that messages are signed... the messages themselfes can be out in
> the open... so encryption/decryption is not really needed and could actually
> make it less secure for small messages and require extra work for padding..
>
> I skimmed over this document for digital signatures, which mentions "plain"
> rsa signatures are kinda weak ?!?:
>
> http://en.wikipedia.org/wiki/Digital_signature
>
> And also this document for RSA which mentions the padding:
>
> http://en.wikipedia.org/wiki/RSA
>
> What I really want is "digital signatures" for people to use, so that they
> can identify themselfes as being the same/true/real source of many messages.
>
> So I wonder what the best/strongest digital signature algorithm is ?
>
> Any idea's ?!?
>
> Bye,
>   Skybuck.


RSA Signatures are weak if you don't use proper padding.
But if you do padding as in the PKCS standard, then I
think there are no known weaknesses to it.

It doesn't really make sense to say what the "strongest"
digital signature algorithm is. Many algorithms are
strong if you use a sufficiently large key. One could
talk about what the "best" one is according to speed,
code size, signature time, verification time, etc... for
some required strength level. Different algorithms do
better for different categories. An algorithm like ECDSA
does fairly well overall.


Scott
From: Skybuck Flying on
Hmmm,

I am interested in these two algorithms, which I am going to read up on ;)

http://en.wikipedia.org/wiki/Lamport_signature

http://en.wikipedia.org/wiki/Merkle_signature_scheme

I already wrote a merkle hash tree once and it was a fun algorithm.

I am not yet sure how it's used for digital signatures so I am going to read
up on that ! ;)

RSA seems to weak and pretty damn complex.

DSA seems to have the possibility of secret channel information which
worries me.

Both RSA and DSA are based on primes and factorization and such which might
be broken by quantum computers which already exist and could become more
powerfull soon.

According to the weblinks above lamport, hashes and merkle tree's would be
more secure against quantum computers.. if that's really true remains to be
seen but it's kinda interesting.

It also allows me to re-use tiger hash algorithm and maybe implement the
merkle tree myself so I don't have to be worried about code issue's ?! ;) :)

I am not yet sure if merkle tree's/hashes are efficient... but so far I
think the top root needs to be sent over... I am not sure what else...
that's what I need to read up upon... also a new algorithm: lamport which
also seems kinda interesting ;)

Bye,
Skybuck.


From: Skybuck Flying on
Ok, I read these two documents, and lamport seems to have 16 KB of data
associated with it... a bit much for my taste..

And the merkle hash tree has a message limitation, which is a very bad
situation.

So I think I can safely dismiss these two algorithms as well..

Which might lead me back to RSA after all... maybe with some padding, and
maybe with some hashing.

Furthermore at least encryption/decryption could be used for communication
as well to obstruct snooping isp's a little bit...

So RSA is interesting after all... but just a little bit.

Bye,
Skybuck ;) :)


From: Skybuck Flying on

"Scott Contini" <the_great_contini(a)yahoo.com> wrote in message
news:a7098064-a341-47da-b432-aaa9819d4deb(a)r21g2000prr.googlegroups.com...
On May 7, 2:33 pm, "Skybuck Flying" <IntoTheFut...(a)hotmail.com> wrote:
> Hello,
>
> I was thinking about using RSA for it's signature capabilities... it's
> important that messages are signed... the messages themselfes can be out
> in
> the open... so encryption/decryption is not really needed and could
> actually
> make it less secure for small messages and require extra work for padding.
>
> I skimmed over this document for digital signatures, which mentions
> "plain"
> rsa signatures are kinda weak ?!?:
>
> http://en.wikipedia.org/wiki/Digital_signature
>
> And also this document for RSA which mentions the padding:
>
> http://en.wikipedia.org/wiki/RSA
>
> What I really want is "digital signatures" for people to use, so that they
> can identify themselfes as being the same/true/real source of many
> messages.
>
> So I wonder what the best/strongest digital signature algorithm is ?
>
> Any idea's ?!?
>
> Bye,
> Skybuck.


"
RSA Signatures are weak if you don't use proper padding.
But if you do padding as in the PKCS standard, then I
think there are no known weaknesses to it.
"

Some quotes from the above links which I wonder about:

'and "plain" RSA signatures are not secure'

What is ment with "plain" in this regard ? Do they mean unpadded messages ?
or non-hashed messages ? or something totally different ?

Later it goes on:

'As noted earlier, this basic scheme is not very secure. To prevent attacks,
one can first apply a cryptographic hash function to the message m and then
apply the RSA algorithm described above to the result. This approach can be
proven secure in the so-called random oracle model.'

I have a question:

If a hash function is used on M does M still need to be padded to a "safe
message length " ? and what would be a safe message length ?

(They lost me on the random oracle model.. :))

Bye,
Skybuck.