Re: [TLS] RSA-PSS in TLS 1.3
Fedor Brunner <fedor.brunner@azet.sk> Fri, 04 March 2016 16:45 UTC
Return-Path: <fedor.brunner@azet.sk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46AF1A1A68 for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 08:45:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.803
X-Spam-Level: *
X-Spam-Status: No, score=1.803 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldhPj0nQNZrk for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 08:45:32 -0800 (PST)
Received: from smtp-01-out.s.azet.sk (smtp-05-out.s.azet.sk [91.235.53.55]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCDD1A1A4D for <tls@ietf.org>; Fri, 4 Mar 2016 08:45:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=azet.sk; s=azet; t=1457109931; bh=uBjep+ACL+Nq6t8WS1UlDGgbB5x4NJZG+Osap73BfUQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=XsVneRWUfVCIJWapy3PLn/10ZEm+jfGlhbyQqLgNqHQsDnDF3j8oPgjhz/9v/3Oor iAjomaHTd84lduUA0pBwLw/MRCNDXM4xLYhqgdQK9WiLpa85/FAdwq7djYDuv+2bHZ jGbgEKlFdC1TRZYhOhyPyrlCebtfG5HWfjserw84=
X-Virus-Scanned: by AntiSpam at azet.sk
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk C9AF99A
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <BC718116-64C4-46C0-870C-D82DE64B4C63@gmail.com> <20160302065747.GC10917@mournblade.imrryr.org> <201603021616.15731.davemgarrett@gmail.com> <BN1PR09MB12407B52B773981DB214919F3BD0@BN1PR09MB124.namprd09.prod.outlook.com> <20160303144947.0402bad9@pc1>
From: Fedor Brunner <fedor.brunner@azet.sk>
Message-ID: <56D9BB9F.5090102@azet.sk>
Date: Fri, 04 Mar 2016 17:45:19 +0100
MIME-Version: 1.0
In-Reply-To: <20160303144947.0402bad9@pc1>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/N9qqobpQASVLhSrAQN6V7z7nsb0>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2016 16:45:35 -0000
Hanno Böck: > On Thu, 3 Mar 2016 13:35:46 +0000 > "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote: > >> Why don't we use an even more elegant RSA signature called " >> full-domain hash RSA signature" ? > > Full Domain Hashing was originally developed by Rogaway and Bellare and > then later dismissed because they found that they could do better. Then > they developed PSS. > > See > http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf > > So in essence FDH is a predecessor of PSS and the authors of both > schemes came to the conclusion that PSS is the superior scheme. > > >> As you know, a SHAKE (as a variable output-length hash function) >> naturally produces a hash value which fits any given modulus size. >> Therefore, no paddings are needed which avoids any potential issues >> with the paddings and the signature algorithm would be very simple. > > You could also use SHAKE in PSS to replace MGF1. This is probably > desirable if you intent to use PSS with SHA-3. > > PSS doesn't really have any padding in the traditional sense. That is, > all the padding is somehow either hashed or xored with a hashed value. > I don't think any of the padding-related issues apply in any way to > PSS, if you disagree please explain. > > (shameless plug: I wrote my thesis about PSS, in case anyone wants to > read it: https://rsapss.hboeck.de/ - it's been a while, don't be too > hard on me if I made mistakes) > > Please see the paper "Another Look at ``Provable Security''" from Neal Koblitz and Alfred Menezes. https://eprint.iacr.org/2004/152 Section 7: Conclusion "There is no need for the PSS or Katz-Wang versions of RSA; one might as well use just the basic “hash and exponentiate” signature scheme (with a full-domain hash function)." Fedor
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Russ Housley
- Re: [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- [TLS] RSA-PSS in TLS 1.3 Joseph Salowey
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Benjamin Beurdouche
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Brian Smith
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Salz, Rich
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Alyssa Rowan
- Re: [TLS] RSA-PSS in TLS 1.3 Watson Ladd
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Thomson
- Re: [TLS] RSA-PSS in TLS 1.3 Andrey Jivsov
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
- Re: [TLS] RSA-PSS in TLS 1.3 Rob Stradling
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Eric Rescorla
- Re: [TLS] RSA-PSS in TLS 1.3 Yoav Nir
- Re: [TLS] RSA-PSS in TLS 1.3 Dave Garrett
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Dang, Quynh (Fed)
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hanno Böck
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Fedor Brunner
- Re: [TLS] RSA-PSS in TLS 1.3 Martin Rex
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] RSA-PSS in TLS 1.3 Hannes Mehnert
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Ilari Liusvaara
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri
- [TLS] (TLS1.3 - algorithm agility support is enou… Rene Struik
- Re: [TLS] (TLS1.3 - algorithm agility support is … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] (TLS1.3 - algorithm agility support is … Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Scott Fluhrer (sfluhrer)
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Viktor Dukhovni
- Re: [TLS] RSA-PSS in TLS 1.3 Hubert Kario
- Re: [TLS] RSA-PSS in TLS 1.3 Tony Arcieri