On Sun, Apr 9, 2017 at 12:13 PM, Niels Möller <ni...@lysator.liu.se> wrote:
> Nikos Mavrogiannopoulos <n...@redhat.com> writes:
>
>> The salt is needed in the "tight" proof for RSA-PSS, that in the end
>> assures that if RSA-PSS is broken RSA is broken. As far as I understand
>> it is not tied to some concrete attack. The paper above ties that salt
>> size with the total number of signatures generated, and PKCS#1
>> transforms this to a "security level" question, by tying the salt size
>> to length of the selected hash.
>
> Thanks. Is it possible to boil this down to some easy one-size-fits-all
> recommendation?
>
> Looking at RFC 3447 (I still haven't read it carefully), I don't see any
> solid recommendation, it says "Typical salt lengths in octets are hLen
I think the updated pkcs1 2.2 document (rfc8017), has a more solid
recommendation.
"For a given hashAlgorithm, the default value of
saltLength is the octet length of the hash value. Unlike the
other fields of type RSASSA-PSS-params, saltLength does not need
to be fixed for a given RSA key pair."
> Is TLS also using salt length == digest size? If so, I think we should
> recommend that and say that it's what's most widely used.
I do not remember whether the latest draft had any specific recommendations.
regards,
Nikos
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
