Daiki Ueno ueno@gnu.org writes:
I have incorporated the suggested changes here: https://gitlab.com/dueno/nettle/commits/wip/dueno/rsa-padding
Thanks!
I've added these changes on a branch merge-pss in the main repo, together with some smaller post-merge cleanups.
I'm considering renaming some of the pss files and functions to use a "pkcs1" prefix, and perhaps move declarations to pkcs1.h, do you think that's appropriate?
"These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs.
However, assuming the same security level as inverting the @acronym{RSA} algorithm, a longer salt value does not always mean a better security @uref{http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf%7D. The typical choices of the length are between 0 and the digest size of the underlying hash function."
That's better, but still not crystal clear. In what scenarios does the salt provide additional security? If the attacker gets to see signatures but not the corresponding messages?
Let me think aloud...
In that scenario, for a small message space, the attacker could try all possible messages to find the message for which the signature is valid, which is an information leakage. But if we also have a large salt space, there can be multiple messages for which the signature is valid. Which is good in this particular attack scenario, but otherwise sounds a bit dangerous...
Or is the salt only intended to hide message repetition, still in the atack scanario where the attacker observes the signatures but not the signed messages?
Regards, /Niels