PSS is similar to OAEP, but is for signatures. If you have OAEP implemented, then it wouldn't take you long to do PSS, which is described in the PKCS-1v2.1 document.
Hacking OAEP into a signature scheme sounds a little dangerous. However, I guess the idea would idea would just be to hash your message and "encrypt" the hash with the private exponent. You want your signature scheme to be existentially unforgeable. If could forge one of these signatures, then I not certain what that says about the security of OAEP encryption (maybe nothing since anyone can create validate OAEP ciphertexts). Full-domain-hash RSA is quite easy to implement. If you don't like PSS, then you could look at it. -James On 13-01-26 10:00 AM, ianG wrote: > Apologies in advance ;) but a cryptography question: > > I'm coding (or have coded) a digital signature class in RSA. In my > research on how to frame the input to the RSA private key operation, I > was told words to effect "just use OAEP and you're done and dusted." > Which was convenient as that was already available/coded. > > However I haven't seen any other code doing this - it is mostly PKCS1, > etc, and RFC3447 doesn't enlighten in this direction. > > Could OAEP be considered reasonable for signatures? or is this a case > of totally inappropriate? Or somewhere in between? > > > > iang > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
