"The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately."https://twitter.com/IACR_News/status/1042853922195611652 …
The advantage of deterministic PSS is that you might actually be able to use it to interoperate with things that you didn't create, since PSS is a widely-deployed standard. I don't know of any implementations of any other FDH for RSA.
-
-
I doubt verifiable determinism adds much, if you need to interoperate. If you wanted say a blind issued RSA cert, then you must use a real FDH for the blinding factor, but PSS sounds okay for the signature, except you must tweak the security proofs.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.