Re: [TLS] RSA-PSS in TLS 1.3

Fedor Brunner <fedor.brunner@azet.sk> Fri, 04 March 2016 16:45 UTC

Return-Path: <fedor.brunner@azet.sk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46AF1A1A68 for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 08:45:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.803
X-Spam-Level: *
X-Spam-Status: No, score=1.803 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldhPj0nQNZrk for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 08:45:32 -0800 (PST)
Received: from smtp-01-out.s.azet.sk (smtp-05-out.s.azet.sk [91.235.53.55]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCDD1A1A4D for <tls@ietf.org>; Fri, 4 Mar 2016 08:45:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=azet.sk; s=azet; t=1457109931; bh=uBjep+ACL+Nq6t8WS1UlDGgbB5x4NJZG+Osap73BfUQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=XsVneRWUfVCIJWapy3PLn/10ZEm+jfGlhbyQqLgNqHQsDnDF3j8oPgjhz/9v/3Oor iAjomaHTd84lduUA0pBwLw/MRCNDXM4xLYhqgdQK9WiLpa85/FAdwq7djYDuv+2bHZ jGbgEKlFdC1TRZYhOhyPyrlCebtfG5HWfjserw84=
X-Virus-Scanned: by AntiSpam at azet.sk
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk C9AF99A
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <BC718116-64C4-46C0-870C-D82DE64B4C63@gmail.com> <20160302065747.GC10917@mournblade.imrryr.org> <201603021616.15731.davemgarrett@gmail.com> <BN1PR09MB12407B52B773981DB214919F3BD0@BN1PR09MB124.namprd09.prod.outlook.com> <20160303144947.0402bad9@pc1>
From: Fedor Brunner <fedor.brunner@azet.sk>
Message-ID: <56D9BB9F.5090102@azet.sk>
Date: Fri, 4 Mar 2016 17:45:19 +0100
MIME-Version: 1.0
In-Reply-To: <20160303144947.0402bad9@pc1>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/N9qqobpQASVLhSrAQN6V7z7nsb0>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2016 16:45:35 -0000

Hanno Böck:
> On Thu, 3 Mar 2016 13:35:46 +0000
> "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
> 
>> Why don't we use an even more elegant RSA signature called "
>> full-domain hash RSA signature" ?
> 
> Full Domain Hashing was originally developed by Rogaway and Bellare and
> then later dismissed because they found that they could do better. Then
> they developed PSS.
> 
> See
> http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf
> 
> So in essence FDH is a predecessor of PSS and the authors of both
> schemes came to the conclusion that PSS is the superior scheme.
> 
> 
>> As you know, a SHAKE (as a variable output-length hash function)
>> naturally produces a hash value which fits any given modulus size.
>> Therefore, no paddings are needed which avoids any potential issues
>> with the paddings and the signature algorithm would be very simple. 
> 
> You could also use SHAKE in PSS to replace MGF1. This is probably
> desirable if you intent to use PSS with SHA-3.
> 
> PSS doesn't really have any padding in the traditional sense. That is,
> all the padding is somehow either hashed or xored with a hashed value.
> I don't think any of the padding-related issues apply in any way to
> PSS, if you disagree please explain.
> 
> (shameless plug: I wrote my thesis about PSS, in case anyone wants to
> read it: https://rsapss.hboeck.de/ - it's been a while, don't be too
> hard on me if I made mistakes)
> 
> 
Please see the paper "Another Look at ``Provable Security''" from Neal
Koblitz and Alfred Menezes.

https://eprint.iacr.org/2004/152

Section 7: Conclusion

"There is no need for the PSS or Katz-Wang versions of RSA;
one might as well use just the basic “hash and exponentiate” signature
scheme (with a full-domain hash function)."

Fedor