On Thu, 2016-03-03 at 17:11 +0100, Hanno Böck wrote: > It may be worth asking the authors what's their opinion of FDH vs > > PSS > > in view of the state of the art *today*. > You may do that, but I doubt that changes much. > > I think FDH really is not an option at all here. It may very well be > that there are better ways to do RSA-padding, but I don't think that > this is viable for TLS 1.3 (and I don't think FDH is better). > PSS has an RFC (3447) and has been thoroughly analyzed by research. I > think there has been far less analyzing effort towards FDH (or any > other construction) and it is not in any way specified in a standards > document. If one would want to use FDH or anything else one would > imho > first have to go through some standardization process (which could be > CFRG or NIST or someone else) and call for a thorough analysis of it > by the cryptographic community. Which would take at least a couple of > years. > > Given that there probably is no long term future for RSA anyway > (people > want ECC and postquantum is ahead) I doubt anything else than the > primitives we already have in standards will ever be viable.
On the contrary. If we have a future with quantum computers available, the only thing that we have now and would work is RSA with larger keys, not ECC. regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
