Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?
From: Thomas Pornin on 10 Mar 2010 15:13
According to Tom St Denis <tom(a)iahu.ca>:
> Different attack model? PSS is computationally cheaper than OAEP
> [iirc].

Computational costs of PSS and OAEP are very similar. PSS implies
a hash function call and a MGF function call, where the MGF is
built around a hash function, which it will invoke as many times
as necessary to get enough output. OAEP uses two MGF calls, one
of which for an output of about the same size than the underlying
hash function, and the other with an output similar in length to
the MGF output in PSS. The computational cost of OAEP should really
come out to be very close to the cost of PSS.

And that is for padding alone. The modular exponentiation, even the
public one (with e = 3), will completely dwarf out the padding cost.


--Thomas Pornin
From: Kristian Gj�steen on 10 Mar 2010 15:26
yawnmoth <terra1024(a)yahoo.com> wrote:
>That makes me wonder... how should the salt be transmitted? Does it
>still enhance security if it is transmitted in plaintext? IV's
>transmitted in plaintext don't reduce the security of CBC or CTR
>mode... maybe RSA-PSS salts are the same?

You recover the salt from the signature. Find a good diagram of RSA-PSS.

--
Kristian Gj�steen
First  |  Prev  | 
Pages: 1 2 3
Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?