James Muir wrote:
PSS is similar to OAEP, but is for signatures. If you have OAEP
implemented, then it wouldn't take you long to do PSS, which is
described in the PKCS-1v2.1 document.
This is the answer I suspected in reading the original post question.
Hacking OAEP into a signature scheme sounds a little dangerous.
However, I guess the idea would idea would just be to hash your message
and "encrypt" the hash with the private exponent. You want your
signature scheme to be existentially unforgeable. If could forge one of
these signatures, then I not certain what that says about the security
of OAEP encryption (maybe nothing since anyone can create validate OAEP
ciphertexts).
I guess the original poster did not expect to create a new/modified
signature scheme, but "just" implement a recognized one.
Full-domain-hash RSA is quite easy to implement. If you don't like PSS,
then you could look at it.
Oh great ... I thought I was the only one to have taken note of
full-domain-hash.
My understanding is that full-domain-hash remains a useful academic
contribution to the formal proofs of PK cryptosystems. It is also
antagonistic to the push towards ECC signatures. Certainly NIST is not
interested since this organization pushes for ECC technology development
and adoption. At least I did not see any reference to an "FDH mode" for
secure hash competition candidates.
In practice, full-domain-hash has a serious performance penalty if one
takes the implementation suggestion from [1]. You would do me a favor in
providing references to practical implementation strategies.
[1] Mihir Bellare, Phillip Rogaway: The Exact Security of Digital
Signatures - How to Sign with RSA and Rabin. EUROCRYPT 1996: pp399–416
http://www.cs.ucdavis.edu/~rogaway/papers/exact.pdf
-James
On 13-01-26 10:00 AM, ianG wrote:
Apologies in advance ;) but a cryptography question:
I'm coding (or have coded) a digital signature class in RSA. In my
research on how to frame the input to the RSA private key operation, I
was told words to effect "just use OAEP and you're done and dusted."
Which was convenient as that was already available/coded.
Maybe the advice should be taken with caution:
1) from this advice alone you were not warned that OAEP encryption
principles turn into RSA-PSS for signatures, and
2) implementation-wise, RSA-PSS turns the secret random source into a
critical system component (which is incrementally inconvenient if no
other crypto usage of secret random numbers exists in the operational
digital signature system -- the full-domain-hash avenue does not carry
this secret random source dependency).
However I haven't seen any other code doing this - it is mostly PKCS1,
etc, and RFC3447 doesn't enlighten in this direction.
Could OAEP be considered reasonable for signatures? or is this a case
of totally inappropriate? Or somewhere in between?
iang
Regards,
--
- Thierry Moreau
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
