On Thu, 3 Mar 2016 15:29:37 +0000 "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> wrote:
> Also, wasn't PSS developed before SHA3 and SHAKE were known, let > alone available? Yeah, more than 10 years before. It's more the other way found: PSS and other constructions showed the need for hash functions with a defined output length. SHAKE is such a function. PSS uses a construction called MGF1, which essentially takes an existing fixed-output-length hash, combines that with a counter and produces some construction. SHAKE deprecates the need for such a workaround. So instead of using PSS+SHA256+MGF1-with-SHA256 you could say you use PSS+SHA-3-256+SHAKE256. I don't think this changes a whole lot in regards to security (as long as we assume both sha256 and sha-3-256 are very secure algorithms). > It may be worth asking the authors what's their opinion of FDH vs PSS > in view of the state of the art *today*. You may do that, but I doubt that changes much. I think FDH really is not an option at all here. It may very well be that there are better ways to do RSA-padding, but I don't think that this is viable for TLS 1.3 (and I don't think FDH is better). PSS has an RFC (3447) and has been thoroughly analyzed by research. I think there has been far less analyzing effort towards FDH (or any other construction) and it is not in any way specified in a standards document. If one would want to use FDH or anything else one would imho first have to go through some standardization process (which could be CFRG or NIST or someone else) and call for a thorough analysis of it by the cryptographic community. Which would take at least a couple of years. Given that there probably is no long term future for RSA anyway (people want ECC and postquantum is ahead) I doubt anything else than the primitives we already have in standards will ever be viable. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpnn2C2wYISN.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
