Also, wasn't PSS developed before SHA3 and SHAKE were known, let alone available?
It may be worth asking the authors what's their opinion of FDH vs PSS in view of the state of the art *today*. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Dang, Quynh (Fed) Sent: Thursday, March 3, 2016 09:21 To: Hanno Böck; tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 Hi Hanno, I think the PSS uses a random salt to get the hashing probabilistic. A customized version of a SHAKE can/may take a domain-separation string or/and a random salt. Quynh. ________________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Hanno Böck <ha...@hboeck.de> Sent: Thursday, March 3, 2016 8:49 AM To: tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Thu, 3 Mar 2016 13:35:46 +0000 "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote: > Why don't we use an even more elegant RSA signature called " > full-domain hash RSA signature" ? Full Domain Hashing was originally developed by Rogaway and Bellare and then later dismissed because they found that they could do better. Then they developed PSS. See http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf So in essence FDH is a predecessor of PSS and the authors of both schemes came to the conclusion that PSS is the superior scheme. > As you know, a SHAKE (as a variable output-length hash function) > naturally produces a hash value which fits any given modulus size. > Therefore, no paddings are needed which avoids any potential issues > with the paddings and the signature algorithm would be very simple. You could also use SHAKE in PSS to replace MGF1. This is probably desirable if you intent to use PSS with SHA-3. PSS doesn't really have any padding in the traditional sense. That is, all the padding is somehow either hashed or xored with a hashed value. I don't think any of the padding-related issues apply in any way to PSS, if you disagree please explain. (shameless plug: I wrote my thesis about PSS, in case anyone wants to read it: https://rsapss.hboeck.de/ - it's been a while, don't be too hard on me if I made mistakes) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
