On Sun, Apr 9, 2017 at 12:13 PM, Niels Möller <ni...@lysator.liu.se> wrote: > Nikos Mavrogiannopoulos <n...@redhat.com> writes: > >> The salt is needed in the "tight" proof for RSA-PSS, that in the end >> assures that if RSA-PSS is broken RSA is broken. As far as I understand >> it is not tied to some concrete attack. The paper above ties that salt >> size with the total number of signatures generated, and PKCS#1 >> transforms this to a "security level" question, by tying the salt size >> to length of the selected hash. > > Thanks. Is it possible to boil this down to some easy one-size-fits-all > recommendation? > > Looking at RFC 3447 (I still haven't read it carefully), I don't see any > solid recommendation, it says "Typical salt lengths in octets are hLen
I think the updated pkcs1 2.2 document (rfc8017), has a more solid recommendation. "For a given hashAlgorithm, the default value of saltLength is the octet length of the hash value. Unlike the other fields of type RSASSA-PSS-params, saltLength does not need to be fixed for a given RSA key pair." > Is TLS also using salt length == digest size? If so, I think we should > recommend that and say that it's what's most widely used. I do not remember whether the latest draft had any specific recommendations. regards, Nikos _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs