Re: [GNU Crypto] about emsa-pss

gnu-crypto-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] about emsa-pss

From:	Raif S. Naffah
Subject:	Re: [GNU Crypto] about emsa-pss
Date:	Wed, 8 Mar 2006 06:00:58 +1100
User-agent:	KMail/1.9.1

On Monday 06 March 2006 14:25, chendongdong wrote:
> ...
> Which kind of salt should I provide?

from RSA's submission to the NESSIE project (annex-B, page 8):

"RSA-PSS is diﬀerent than other RSA-based signature schemes in that it 
is probabilistic rather than deterministic, incorporating a randomly 
generated salt value. The salt value enhances the security of the 
scheme by aﬀording a “tighter” security proof than deterministic 
alternatives such as Full Domain Hashing (FDH) (see [14] for 
discussion). However, the randomness is not critical to security. In 
situations where random generation is not possible, a ﬁxed value or a 
sequence number could be employed instead, with the resulting provable 
security similar to that of FDH [15]. The randomness also reduces the 
requirements on the underlying hash function. Since an opponent does 
not know which salt value the signer will select, ﬁnding a collision in 
the hash function (two messages with the same hash value) does not 
enable an opponent to forge signatures. Accordingly, the 
collision-resistance of the hash function is not as important as in a 
deterministic signature scheme."

i hope this answers your question.

cheers;
rsn

pgpl8ZGkJTbau.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[GNU Crypto] about emsa-pss, chendongdong, 2006/03/05
- Re: [GNU Crypto] about emsa-pss, Raif S. Naffah <=

Prev by Date: [GNU Crypto] about emsa-pss
Previous by thread: [GNU Crypto] about emsa-pss
Index(es):
- Date
- Thread