Re: [TLS] RSA-PSS in TLS 1.3

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Thu, 03 March 2016 14:21 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C65B1ACE8B for <tls@ietfa.amsl.com>; Thu, 3 Mar 2016 06:21:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vc9xHhYWH5NX for <tls@ietfa.amsl.com>; Thu, 3 Mar 2016 06:21:03 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0104.outbound.protection.outlook.com [23.103.201.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C401ACE88 for <tls@ietf.org>; Thu, 3 Mar 2016 06:21:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nbHSS51bIx2kl/ekVOwPwGx0GqI95xLBwy4n++PEuEs=; b=NksYsHq3idFYAd8uOiDCcd2r5FyGdRDWN+NXRGzSBcUJi3YcbJ+Gk9S6/2moSRJDeuVB3lLv1mLZhmy0tO5LJ/bLUXFdWG0mVuRAIBFH2jp4BefgoPH5U42b8uQ0q8iqaz2OEsHwzBsNlBejTb2wuzCmY9YpLA23U2ZTtZzSCU4=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB123.namprd09.prod.outlook.com (10.255.200.25) with Microsoft SMTP Server (TLS) id 15.1.415.20; Thu, 3 Mar 2016 14:21:01 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0415.024; Thu, 3 Mar 2016 14:21:01 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: =?iso-8859-1?Q?Hanno_B=F6ck?= <hanno@hboeck.de>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RSA-PSS in TLS 1.3
Thread-Index: AQHRcxcw0LczJ8DOZUibIUJHHuPVmp9De2eAgAAhn4CAAGkGgIAAcKsAgABx/YCAAA/+gIAAX6qAgABdhQCAAAWZAIAA79mAgAEPhOCAAAYTgIAABjju
Date: Thu, 3 Mar 2016 14:21:01 +0000
Message-ID: <BN1PR09MB12436A713F9675B8A62A089F3BD0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <BC718116-64C4-46C0-870C-D82DE64B4C63@gmail.com> <20160302065747.GC10917@mournblade.imrryr.org> <201603021616.15731.davemgarrett@gmail.com> <BN1PR09MB12407B52B773981DB214919F3BD0@BN1PR09MB124.namprd09.prod.outlook.com>, <20160303144947.0402bad9@pc1>
In-Reply-To: <20160303144947.0402bad9@pc1>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: hboeck.de; dkim=none (message not signed) header.d=none;hboeck.de; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.105.150]
x-microsoft-exchange-diagnostics: 1; BN1PR09MB123; 5:e/EzFOIePuio3vIb4Q4e5yUVwBxq40ibI7oo4MhPrTRefDfDqyAz6wiC25NSCVHl96sVOKFlLjHZLE9pZ4kGZkuYvePWRhfR5uZr/Row+kMmnyNR0+d3kFdK9Wdp4iUfbFDj/O/XJdAVOWkIb7Ip5Q==; 24:PyT8BnjXx4Ao8kJ4TrdKsaDZY+I95APurYNSOuGCdiL1D5fJXiQ8U4nhMUl66RZXvYn9QH0dd347KqKy/vndjlHpr6JFNYFJYq57fNZ76tY=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB123;
x-ms-office365-filtering-correlation-id: e1085a87-2d6f-45c5-5663-08d3436f0c60
x-microsoft-antispam-prvs: <BN1PR09MB12379FF0134BF29B010C0DDF3BD0@BN1PR09MB123.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(66011452539121);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:BN1PR09MB123; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB123;
x-forefront-prvs: 0870212862
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(243025005)(377454003)(24454002)(86362001)(97736004)(107886002)(19580395003)(5001770100001)(19580405001)(189998001)(122556002)(40100003)(10400500002)(76176999)(2501003)(54356999)(50986999)(74316001)(102836003)(5004730100002)(5003600100002)(3900700001)(11100500001)(5002640100001)(93886004)(1220700001)(1096002)(2950100001)(5008740100001)(3280700002)(2900100001)(2906002)(33656002)(15975445007)(99286002)(66066001)(77096005)(3846002)(6116002)(5001960100004)(586003)(92566002)(87936001)(106116001)(76576001)(3660700001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB123; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2016 14:21:01.4317 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3QosAosrUmzrrcBiPZnOs3EW_JY>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 14:21:07 -0000

Hi Hanno,

I think the PSS uses a random salt to get the hashing probabilistic.

A customized version of a SHAKE can/may take a domain-separation string or/and a random salt.

Quynh. 

________________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Hanno Böck <hanno@hboeck.de>
Sent: Thursday, March 3, 2016 8:49 AM
To: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3

On Thu, 3 Mar 2016 13:35:46 +0000
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:

> Why don't we use an even more elegant RSA signature called "
> full-domain hash RSA signature" ?

Full Domain Hashing was originally developed by Rogaway and Bellare and
then later dismissed because they found that they could do better. Then
they developed PSS.

See
http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf

So in essence FDH is a predecessor of PSS and the authors of both
schemes came to the conclusion that PSS is the superior scheme.


> As you know, a SHAKE (as a variable output-length hash function)
> naturally produces a hash value which fits any given modulus size.
> Therefore, no paddings are needed which avoids any potential issues
> with the paddings and the signature algorithm would be very simple.

You could also use SHAKE in PSS to replace MGF1. This is probably
desirable if you intent to use PSS with SHA-3.

PSS doesn't really have any padding in the traditional sense. That is,
all the padding is somehow either hashed or xored with a hashed value.
I don't think any of the padding-related issues apply in any way to
PSS, if you disagree please explain.

(shameless plug: I wrote my thesis about PSS, in case anyone wants to
read it: https://rsapss.hboeck.de/ - it's been a while, don't be too
hard on me if I made mistakes)


--
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42