Join Log in
Score:0
avatar Crypto

Signing a hash of file vs signing a file

uz flag
Simon C

If person A generated a hash (e.g sha256) of a file and then signed the hash using a private key.

Given person B only has the public key, file, signature and the hash, would verifying the signature using the public key be sufficient to prove person A signed the actual file?

What hashes and algorithms are best suited to this?

69
0 + 0
kelalaka avatar
in flag
kelalaka
Best is not a good term. What is your consideration? Person B doesn't need the hash of the file, they only need, the public key, signature, the file, and the signature scheme definition. You may have; RSA, ECDSA, EdDSA, ... those are failing under the quantum adversary and Rainbow, Falcon, and CRYSTALS-DILITHIUM remained from the 3rd round of the NIST post quantum competition. SO, what is your constraints and risks?
3
Reply
uz flag
Simon C
I'm looking for something that is quite easy to use, i.e common like pgp . Constraints and risk wise I'd be thinking it should be unbreakable for at least 100 years, even against the resources of a nation.
0
Reply
kelalaka avatar
in flag
kelalaka
So, you need the post-quantum signature schemes!
2
Reply
uz flag
Simon C
Why wouldn't RSA last 100 years or even 20 years?
0
Reply
kelalaka avatar
in flag
kelalaka
Well, If a Cryptographic quantum computer is build, Shor's algorithm will break it easily.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
**Signature generation** generally **contains** the hashing algorithm. It can be useful for implementations to supply the hash to the final signature operation as the hashing may take place using a different process or at a different time (e.g. when the signing key is not yet available). However, for that you don't need to transmit the hash separately: the hash verification is part of signature verification and is often directly contained within the signature.
0
Reply
Score:3
fgrieu avatar Crypto
ng flag
fgrieu

Given person B only has the public key, file, signature and the hash, would verifying the signature using the public key be sufficient to prove person A signed the actual file?

Person B does not need the hash. If they get it they can use it for debugging purpose or to abort verification early, but they should not trust it. In the following I disregard any hash person B may have received.

Person B shall hash the file, and check if that hash, the public key, and the signature, verify. That's supposed¹ to prove person A signed the file.

Hashing is so much part of signature verification that's usually stated as: Person B shall check if the file, the public key, and the signature, verify.

An exception to the paragraph above is when, on top of a signature system already suitable to sign a message/file of any length using a hash $H_1$, it's added another layer of hashing with a hash $H_2$. In this case, it would be said: Person B shall hash the file with $H_2$, and check if that hash, the public key, and the signature, verify (implicitly: with the hash function $H_1$ applied to the result of $H_2$ as part of the signature verification). Such composite hashing is sometime done for performance reason, because $H_2$ is by design faster than $H_1$; or/and because $H_1$ is performed by a device (e.g. a Smart Card), and $H_2$ is performed by another (e.g. a computer using the Smart Card).

What hashes and algorithms are (suitable for) this?

From a theoretical standpoint, signature needs a hash algorithm that's collision-resistant (implying second-preimage resistant), and of width appropriate for the signature system under consideration.

If that width is at most 512-bit, SHA-512 appropriately truncated will do. For arbitrary size, there's SHAKE256. For better speed, there's Blake2.

From a practical standpoint, the hash is typically specified by the signature system or it's parameters, and that specification is often embedded with the public key in the public key certificate.

An example of signature algorithm and hash in common use is ECDSA with curve secp256r1 and hash SHA-256. Another example is Ed25519, which specifies algorithm, curve and hash (note Ed25519ph is like Ed25519, except with the dual hashing in the exception above).

¹ There's no thing like absolute proof: perhaps the public key is not that of person A; or person's A private key was stolen; or their PC was under control of a malicious actor so A wanted to sign something else entirely; or the signature system or the hash is broken…

0 + 0
Maarten Bodewes avatar
in flag
Maarten Bodewes
Well, yes, many protocols support multiple data elements, and sending a hash of the **unknown/unread** data elements then helps a lot. Merkle trees and whatnot. E.g. the eMRTD/ePassport contains a set of hashes over data groups. This is not exactly signing a transmitted hash of course, *just* double hashing isn't useful for this. Although multi-level hashing is in the answer, it seems to focus on performance (but TBH, the question doesn't address this use case either).
0
Reply
uz flag
Simon C
In my use case I only wanted to sign the hash using the private key. The reason for this is to save bandwidth. Since the storage systems and the signing are separate and the communication between them is already trusted it is faster and less expensive to transmit a hash rather than a very large file for signing.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.