PSS+SHAKE128/512+SHAKE128 or PSS+SHAKE256/512+SHAKE256 (as SHAKEs being used as MGF) would be more efficient options. NIST is working on a formal specification for the SHAKEs being used as fixed output-length hash functions such as SHAKE128/256, SHAKE128/512 and SHAKE256/512.
Prepending a random salt of 512-bit in length (fixed length of 512 bits) to the message should work and this is very simple and efficient. Quynh. ________________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Hanno Böck <ha...@hboeck.de> Sent: Thursday, March 3, 2016 11:11 AM To: Blumenthal, Uri - 0553 - MITLL; tls@ietf.org Subject: Re: [TLS] RSA-PSS in TLS 1.3 On Thu, 3 Mar 2016 15:29:37 +0000 "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> wrote: > Also, wasn't PSS developed before SHA3 and SHAKE were known, let > alone available? Yeah, more than 10 years before. It's more the other way found: PSS and other constructions showed the need for hash functions with a defined output length. SHAKE is such a function. PSS uses a construction called MGF1, which essentially takes an existing fixed-output-length hash, combines that with a counter and produces some construction. SHAKE deprecates the need for such a workaround. So instead of using PSS+SHA256+MGF1-with-SHA256 you could say you use PSS+SHA-3-256+SHAKE256. I don't think this changes a whole lot in regards to security (as long as we assume both sha256 and sha-3-256 are very secure algorithms). > It may be worth asking the authors what's their opinion of FDH vs PSS > in view of the state of the art *today*. You may do that, but I doubt that changes much. I think FDH really is not an option at all here. It may very well be that there are better ways to do RSA-padding, but I don't think that this is viable for TLS 1.3 (and I don't think FDH is better). PSS has an RFC (3447) and has been thoroughly analyzed by research. I think there has been far less analyzing effort towards FDH (or any other construction) and it is not in any way specified in a standards document. If one would want to use FDH or anything else one would imho first have to go through some standardization process (which could be CFRG or NIST or someone else) and call for a thorough analysis of it by the cryptographic community. Which would take at least a couple of years. Given that there probably is no long term future for RSA anyway (people want ECC and postquantum is ahead) I doubt anything else than the primitives we already have in standards will ever be viable. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
