Nikos Mavrogiannopoulos nmav@redhat.com writes:
The salt is needed in the "tight" proof for RSA-PSS, that in the end assures that if RSA-PSS is broken RSA is broken. As far as I understand it is not tied to some concrete attack. The paper above ties that salt size with the total number of signatures generated, and PKCS#1 transforms this to a "security level" question, by tying the salt size to length of the selected hash.
Thanks. Is it possible to boil this down to some easy one-size-fits-all recommendation?
Looking at RFC 3447 (I still haven't read it carefully), I don't see any solid recommendation, it says "Typical salt lengths in octets are hLen (the length of the output of the hash function Hash) and 0." (Sec 9.1), and the definition of RSASSA-PSS-Params says "saltLength is the octet length of the salt. It shall be an integer. For a given hashAlgorithm, the default value of saltLength is the octet length of the hash value." (A.2.3)
Is TLS also using salt length == digest size? If so, I think we should recommend that and say that it's what's most widely used.
And using an empty salt seems a bit pointless, then there's no theoretical or practical advantages over pkcs1 v1.5 signatures, right? (See also http://crypto.stackexchange.com/questions/1217/rsa-pss-salt-size).
Regards, /Niels