On Sun, Apr 9, 2017 at 12:13 PM, Niels Möller nisse@lysator.liu.se wrote:
Nikos Mavrogiannopoulos nmav@redhat.com writes:
The salt is needed in the "tight" proof for RSA-PSS, that in the end assures that if RSA-PSS is broken RSA is broken. As far as I understand it is not tied to some concrete attack. The paper above ties that salt size with the total number of signatures generated, and PKCS#1 transforms this to a "security level" question, by tying the salt size to length of the selected hash.
Thanks. Is it possible to boil this down to some easy one-size-fits-all recommendation?
Looking at RFC 3447 (I still haven't read it carefully), I don't see any solid recommendation, it says "Typical salt lengths in octets are hLen
I think the updated pkcs1 2.2 document (rfc8017), has a more solid recommendation. "For a given hashAlgorithm, the default value of saltLength is the octet length of the hash value. Unlike the other fields of type RSASSA-PSS-params, saltLength does not need to be fixed for a given RSA key pair."
Is TLS also using salt length == digest size? If so, I think we should recommend that and say that it's what's most widely used.
I do not remember whether the latest draft had any specific recommendations.
regards, Nikos