Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?
From: yawnmoth on 10 Mar 2010 14:19
On Mar 10, 12:55 pm, Tom St Denis <t...(a)iahu.ca> wrote:
> On Mar 10, 11:57 am, yawnmoth <terra1...(a)yahoo.com> wrote:
>
> > sha1('test') encrypted, using RSAES-OAEP, with the private key;
>
> > CVDf4iidejG41Oy2bAfW2yMkEYLRUCsKr4uexw43mrNoBOJBA6+8HuFZTjOLjkHpaKoqNztfuUc ufpR1
> > uxUG85h5gS+Wio+LYHVttgWs3BFcWjVfGh8/audCMlJaFpZ2QR7ORu/VSioIJr3M+
> > +VZw4JgH9Xz3atF
> > Sw1yeFNRnEw=
>
> > Just extract the public key from the private key to verify.
>
> Question:  If you have OAEP why wouldn't you just write PSS as well?

I can do PSS, too - I was just curious about why one would use it
over OAEP.
From: yawnmoth on 10 Mar 2010 14:25
On Mar 10, 6:19 am, Kristian Gj steen <kristiag+n...(a)math.ntnu.no>
wrote:
> yawnmoth  <terra1...(a)yahoo.com> wrote:
> >Why doesn't PKCS#1 just create signatures by encrypting the hash?
>
> First of all, you need what's called a "full domain" hash.  Second,
> the security proof for RSA-FDH is not as sharp as the security proof
> for RSA-PSS.  But there are reasons to prefer RSA-FDH, e.g. that it has
> deterministic signatures.

According to PKCS1 v2.1, if, in RSA-PSS, "a fixed value or a sequence
number [is] employed instead", "the resulting provable security [will
be] similar to that of FDH".

That makes me wonder... how should the salt be transmitted? Does it
still enhance security if it is transmitted in plaintext? IV's
transmitted in plaintext don't reduce the security of CBC or CTR
mode... maybe RSA-PSS salts are the same?
From: Kristian Gj�steen on 10 Mar 2010 14:34
yawnmoth <terra1024(a)yahoo.com> wrote:
>On Mar 10, 6:19�am, Kristian Gj steen <kristiag+n...(a)math.ntnu.no>
>wrote:
>> yawnmoth �<terra1...(a)yahoo.com> wrote:
>> >Why doesn't PKCS#1 just create signatures by encrypting the hash?
>>
>> First of all, you need what's called a "full domain" hash. �Second,
>> the security proof for RSA-FDH is not as sharp as the security proof
>> for RSA-PSS. �But there are reasons to prefer RSA-FDH, e.g. that it has
>> deterministic signatures.
>>
>> > �Why
>> >have the Probabilistic Signature Scheme when you could just use
>> >Optimal Asymmetric Encryption Padding on the hash?
>>
>> Could you?
>
>Per Joseph Ashwood and you, it's not something I /should/ be doing,
>but it's certainly something that could be done.

Technically, a lot of things are possible. Now, why would RSA-OAEP be
secure as a signature scheme?

Let's see. Responding to signature queries is easy. Responding to hash
queries, how do I mix what I want to invert into the response to a query
to one of the two hashes? Well, I can't spend time figuring it out.

As for RSA-PSS, responding to signature queries is easy, responding to hash
queries is also easy because I can program both hashes at the same time
when I get a query to the first hash, and queries for the second hash
that haven't been preceeded by a query to the first hash are unlikely
to matter. I probably forget some details, but the general strategy is
clear from the RSA-PSS diagram.

--
Kristian Gj�steen
From: Tom St Denis on 10 Mar 2010 15:07
On Mar 10, 2:19 pm, yawnmoth <terra1...(a)yahoo.com> wrote:
> On Mar 10, 12:55 pm, Tom St Denis <t...(a)iahu.ca> wrote:
>
> > On Mar 10, 11:57 am, yawnmoth <terra1...(a)yahoo.com> wrote:
>
> > > sha1('test') encrypted, using RSAES-OAEP, with the private key;
>
> > > CVDf4iidejG41Oy2bAfW2yMkEYLRUCsKr4uexw43mrNoBOJBA6+8HuFZTjOLjkHpaKoqNztfuUc ufpR1
> > > uxUG85h5gS+Wio+LYHVttgWs3BFcWjVfGh8/audCMlJaFpZ2QR7ORu/VSioIJr3M+
> > > +VZw4JgH9Xz3atF
> > > Sw1yeFNRnEw=
>
> > > Just extract the public key from the private key to verify.
>
> > Question:  If you have OAEP why wouldn't you just write PSS as well?
>
> I can do PSS, too -  I was just curious about why one would use it
> over OAEP.

Different attack model? PSS is computationally cheaper than OAEP
[iirc].

Tom
From: Thomas Pornin on 10 Mar 2010 15:08
According to yawnmoth <terra1024(a)yahoo.com>:
> Why doesn't PKCS#1 just create signatures by encrypting the hash? Why
> have the Probabilistic Signature Scheme when you could just use
> Optimal Asymmetric Encryption Padding on the hash?

The old-style PKCS#1 signature and encryption paddings (so-called "1.5"
since they were the only ones defined in version 1.5 of PKCS#1) are
heuristically good, but are not proven to be good ("proven" in the sense
of "breaking them is equivalent to breaking the RSA assumption about the
infeasaiblity of computing e-th roots modulo n").

PSS and OAEP have been defined to address this; namely, to be able to
make security proofs. Digital signatures and asymmetric encryption are
not the same thing (despite the old bit of marketing which tries to
claim that a signature is just reversed encryption). The properties which
are expected are not the same. This calls for distinct proofs, which
use distinct characteristics of the padding schemes, ultimately
implying distinct padding scheme. RSA+PSS allows for a proven signature
scheme, and RSA+OAEP allows for a proven asymmetric encryption scheme.

You can use RSA+OAEP "in reverse" and then claim it to be a signature
scheme. This just will not benefit from the security proof anymore. At
that point, if you are just after heuristic security, then the old-style
1.5 scheme is better, because, while it is no more proven, it is no less
proven either, and it has been around for more time without being
broken. Also, the 1.5 scheme is easier to implement.


--Thomas Pornin
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?