"The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately."https://twitter.com/IACR_News/status/1042853922195611652 …
Right now are choices are basically PKCS#1 1.5 or PSS. Adding any new hashing scheme to either is difficult enough (are people going to insist on SHA-3, for example?), so it's worth investigating alternatives to standardizing and deploying a new FDH-based RSA signature scheme.
-
-
Anyway, I think this kind of research is useful to help us answer questions like "To what extend is PSS with a fixed (perhaps zero-length) salt a secure deterministic signature scheme?"
-
I think new RSA uses mostly want real verifiable determinism, which true PSS lacks. A deterministic PSS is merely not-quite an FDH, so just use a real FDH. An FDH can be used for blinding factors too, but deterministic PSS is insecure if used that way.
-
The advantage of deterministic PSS is that you might actually be able to use it to interoperate with things that you didn't create, since PSS is a widely-deployed standard. I don't know of any implementations of any other FDH for RSA.
-
I doubt verifiable determinism adds much, if you need to interoperate. If you wanted say a blind issued RSA cert, then you must use a real FDH for the blinding factor, but PSS sounds okay for the signature, except you must tweak the security proofs.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.