On Mon, Feb 06, 2017 at 11:57:30AM -0500, Nikos Mavrogiannopoulos wrote: > > > Isn't the whole purpose of moving to formally proved schemes, the fact that > there > is a proof of security? This support by TLS 1.3 invalidates this proof, thus > making any reason to have RSASSA-PSS moot, (unless of course we have a proof > that RSASSA-PSS when combined with RSA PKCS#1 1.5 is secure).
As to why I said I consider it unlikely: You need to match up a lot of hash output bits (easily over 1,000) with at most 512 bits of input in order to effect a cross-protocol attack. Matching up 1,000 hash output bits would be hard enough. That one has only 512 bits of input makes it with overwhelming probability impossible. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
