Hi all, Why don't we use an even more elegant RSA signature called " full-domain hash RSA signature" ?
As you know, a SHAKE (as a variable output-length hash function) naturally produces a hash value which fits any given modulus size. Therefore, no paddings are needed which avoids any potential issues with the paddings and the signature algorithm would be very simple. Regards, Quynh. ________________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Dave Garrett <davemgarr...@gmail.com> Sent: Wednesday, March 2, 2016 4:16 PM To: tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Wednesday, March 02, 2016 01:57:48 am Viktor Dukhovni wrote: > adaptive attacks are I think a greater potential > threat against interactive TLS than against a bunch of CA-authored > bits at rest. +1 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
