Hanno Böck: > On Thu, 3 Mar 2016 13:35:46 +0000 > "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote: > >> Why don't we use an even more elegant RSA signature called " >> full-domain hash RSA signature" ? > > Full Domain Hashing was originally developed by Rogaway and Bellare and > then later dismissed because they found that they could do better. Then > they developed PSS. > > See > http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf > > So in essence FDH is a predecessor of PSS and the authors of both > schemes came to the conclusion that PSS is the superior scheme. > > >> As you know, a SHAKE (as a variable output-length hash function) >> naturally produces a hash value which fits any given modulus size. >> Therefore, no paddings are needed which avoids any potential issues >> with the paddings and the signature algorithm would be very simple. > > You could also use SHAKE in PSS to replace MGF1. This is probably > desirable if you intent to use PSS with SHA-3. > > PSS doesn't really have any padding in the traditional sense. That is, > all the padding is somehow either hashed or xored with a hashed value. > I don't think any of the padding-related issues apply in any way to > PSS, if you disagree please explain. > > (shameless plug: I wrote my thesis about PSS, in case anyone wants to > read it: https://rsapss.hboeck.de/ - it's been a while, don't be too > hard on me if I made mistakes) > > Please see the paper "Another Look at ``Provable Security''" from Neal Koblitz and Alfred Menezes.
https://eprint.iacr.org/2004/152 Section 7: Conclusion "There is no need for the PSS or Katz-Wang versions of RSA; one might as well use just the basic “hash and exponentiate” signature scheme (with a full-domain hash function)." Fedor _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls