On Tue, 2017-04-04 at 23:39 +0200, Niels Möller wrote:
"These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs.
However, assuming the same security level as inverting the @acronym{RSA} algorithm, a longer salt value does not always mean a better security @uref{http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf%7D . The typical choices of the length are between 0 and the digest size of the underlying hash function."
That's better, but still not crystal clear. In what scenarios does the salt provide additional security? If the attacker gets to see signatures but not the corresponding messages?
The salt is needed in the "tight" proof for RSA-PSS, that in the end assures that if RSA-PSS is broken RSA is broken. As far as I understand it is not tied to some concrete attack. The paper above ties that salt size with the total number of signatures generated, and PKCS#1 transforms this to a "security level" question, by tying the salt size to length of the selected hash.
regards, Nikos