Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Sun, 07 Aug 2016 08:42:06 -0700 

Hi Hanno:
The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of randomness in the salt), and a scheme by Wang and Katz that only contains one bit of randomness with signing and is claimed to have tight reductions (see also [1]) and argue a "Pass on PSS". 


[1] Signature Schemes - Efficient, with Tight Security Reductions 
(Jonathan Katz, Nan Wang, CCCS 2003). Available from 
https://www.cs.umd.edu/~jkatz/papers/CCCS03_sigs.pdf
[2] Provable Security, Another Look at (Alfred Menezes, Neal Koblitz, 
IACR ePrint 2004-152). Available from https://eprint.iacr.org/2004/152


On 8/7/2016 2:57 AM, Hanno Böck wrote:

Hi,

On Sat, 6 Aug 2016 18:54:56 -1000
Brian Smith <br...@briansmith.org> wrote:


Also, I think it would be great if people working on proofs of
security for TLS could take into consideration the fact that
some--perhaps many--implementations will intentionally or accidentally
use some form of deterministic or less-than-random salt generation for
RSA-PSS. For example, it would be great to see a "What if the salt(s)
in the RSA PSS signature(s) were generated deterministically?" section
of papers describing such proofs.

Actually there is some info on that in the PSS spec [1]. What I write
here is my limited understanding, but roughly I'd interpret it as this:
It says that if you use a non-random salt the security gets reduced to
the security of full domain hashing, which was kinda the predecessor of
PSS.
I'd conclude from that that even in a situation where the salt
generation is a non-random value nothing really bad happens. The
security of a PSS scheme without randomness is still better than that
of a PKCS #1 1.5 signature.

Maybe some more knowledgable people want to add something, but the
bottom line is I think that we don't need to worry too much about the
randomness part here. Unlike with other situations (e.g. ecdsa/dsa) the
randomness is not a piece that once you take it away everything blows
up.


[1] https://tools.ietf.org/html/rfc3447



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls



--
email: rstruik....@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to