[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU Crypto] about emsa-pss
From: |
Raif S. Naffah |
Subject: |
Re: [GNU Crypto] about emsa-pss |
Date: |
Wed, 8 Mar 2006 06:00:58 +1100 |
User-agent: |
KMail/1.9.1 |
On Monday 06 March 2006 14:25, chendongdong wrote:
> ...
> Which kind of salt should I provide?
from RSA's submission to the NESSIE project (annex-B, page 8):
"RSA-PSS is different than other RSA-based signature schemes in that it
is probabilistic rather than deterministic, incorporating a randomly
generated salt value. The salt value enhances the security of the
scheme by affording a “tighter” security proof than deterministic
alternatives such as Full Domain Hashing (FDH) (see [14] for
discussion). However, the randomness is not critical to security. In
situations where random generation is not possible, a fixed value or a
sequence number could be employed instead, with the resulting provable
security similar to that of FDH [15]. The randomness also reduces the
requirements on the underlying hash function. Since an opponent does
not know which salt value the signer will select, finding a collision in
the hash function (two messages with the same hash value) does not
enable an opponent to forge signatures. Accordingly, the
collision-resistance of the hash function is not as important as in a
deterministic signature scheme."
i hope this answers your question.
cheers;
rsn
pgpl8ZGkJTbau.pgp
Description: PGP signature