If you're already using RSA anyways, then just doing FDH or PSS is a negligible performance hit over these archaic padding schemes, and FDH actually makes RSA useful again.
-
-
-
Right now are choices are basically PKCS#1 1.5 or PSS. Adding any new hashing scheme to either is difficult enough (are people going to insist on SHA-3, for example?), so it's worth investigating alternatives to standardizing and deploying a new FDH-based RSA signature scheme.
-
Anyway, I think this kind of research is useful to help us answer questions like "To what extend is PSS with a fixed (perhaps zero-length) salt a secure deterministic signature scheme?"
-
I think new RSA uses mostly want real verifiable determinism, which true PSS lacks. A deterministic PSS is merely not-quite an FDH, so just use a real FDH. An FDH can be used for blinding factors too, but deterministic PSS is insecure if used that way.
-
The advantage of deterministic PSS is that you might actually be able to use it to interoperate with things that you didn't create, since PSS is a widely-deployed standard. I don't know of any implementations of any other FDH for RSA.
-
I doubt verifiable determinism adds much, if you need to interoperate. If you wanted say a blind issued RSA cert, then you must use a real FDH for the blinding factor, but PSS sounds okay for the signature, except you must tweak the security proofs.
End of conversation
New conversation -
-
-
@matthew_d_green Having seen your position on PKCS#1 v1.5, any comments on this?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.