Hanno Böck wrote: > > Actually there is some info on that in the PSS spec [1]. What I write > here is my limited understanding, but roughly I'd interpret it as this: > It says that if you use a non-random salt the security gets reduced to > the security of full domain hashing, which was kinda the predecessor of > PSS. > I'd conclude from that that even in a situation where the salt > generation is a non-random value nothing really bad happens. The > security of a PSS scheme without randomness is still better than that > of a PKCS #1 1.5 signature.
The urban myth about the advantages of the RSA-PSS signature scheme over PKCS#1 v1.5 keep coming up. It has been mentioned here before: Fedor Brunner wrote on 4 Mar 2016 17:45:19: > > Please see the paper "Another Look at ``Provable Security''" from Neal > Koblitz and Alfred Menezes. > > https://eprint.iacr.org/2004/152 > > Section 7: Conclusion > > "There is no need for the PSS or Katz-Wang versions of RSA; > one might as well use just the basic ?hash and exponentiate? signature > scheme (with a full-domain hash function)." The advantages of the RSA-PSS signature scheme are limited to situations where the rightful owner of the private signing key is not supposed to have access to the bits of the private key (i.e. key kept in hardware). -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
