Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?
From: yawnmoth on 9 Mar 2010 23:09
Why doesn't PKCS#1 just create signatures by encrypting the hash? Why
have the Probabilistic Signature Scheme when you could just use
Optimal Asymmetric Encryption Padding on the hash? The only thing I
can figure is this: that OAEP could be used but because it has,
embedded within it, a hash of the message, it requires larger keys
than PSS requires.
From: Joseph Ashwood on 10 Mar 2010 05:18
"yawnmoth" <terra1024(a)yahoo.com> wrote in message
news:ae8d6793-9903-415e-8a09-60a5a4058472(a)d27g2000yqf.googlegroups.com...
> Why doesn't PKCS#1 just create signatures by encrypting the hash?

Because there are attacks against the direct encryption of the hash.

> Why
> have the Probabilistic Signature Scheme when you could just use
> Optimal Asymmetric Encryption Padding on the hash?

Its about the proof of security. The proof for OAEP doesn't apply to
signatures, the proof for PSS applies directly to signatures. OAEP is
probably safe for signatures with a few modifications, but the PSS proof is
more convenient.

> The only thing I
> can figure is this: that OAEP could be used but because it has,
> embedded within it, a hash of the message, it requires larger keys
> than PSS requires.

Actually the key size makes no difference. The key sizes required for
security are larger than the key sizes required for either OAEP or PSS.
Joe

From: Kristian Gj�steen on 10 Mar 2010 07:19
yawnmoth <terra1024(a)yahoo.com> wrote:
>Why doesn't PKCS#1 just create signatures by encrypting the hash?

First of all, you need what's called a "full domain" hash. Second,
the security proof for RSA-FDH is not as sharp as the security proof
for RSA-PSS. But there are reasons to prefer RSA-FDH, e.g. that it has
deterministic signatures.

> Why
>have the Probabilistic Signature Scheme when you could just use
>Optimal Asymmetric Encryption Padding on the hash?

Could you?

--
Kristian Gj�steen
From: yawnmoth on 10 Mar 2010 11:57
On Mar 10, 6:19 am, Kristian Gj steen <kristiag+n...(a)math.ntnu.no>
wrote:
> yawnmoth  <terra1...(a)yahoo.com> wrote:
> >Why doesn't PKCS#1 just create signatures by encrypting the hash?
>
> First of all, you need what's called a "full domain" hash.  Second,
> the security proof for RSA-FDH is not as sharp as the security proof
> for RSA-PSS.  But there are reasons to prefer RSA-FDH, e.g. that it has
> deterministic signatures.
>
> >  Why
> >have the Probabilistic Signature Scheme when you could just use
> >Optimal Asymmetric Encryption Padding on the hash?
>
> Could you?

Per Joseph Ashwood and you, it's not something I /should/ be doing,
but it's certainly something that could be done. For example,

The private key:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCI4BiXFN3zQpBJ5tXTXvrG6znYGfwy2+kA76wy0d/
RHvcCTZ6NtE7UDuWT5CND
mC5Ykwk5XxUgV1O6Y9cSGLvOU12MslmNsr19nPWldhCA2HqIRIrLNb
+p2YKmKgPzz9XwDREomCez
6UNbJu5O5qt6gO
+r3P8jC4BYLuGH7+zlIQIDAQABAoGAGeTdOg3ATHIyBk0VdCKiiim7fHK0B7Ib
MypkVwvlzfPP8n9ZKMEs7Yiw7WjKNBIw6GBOrSwb/
M2QgTE8oYeM1byzPpEfMN2DCbgJdrTO5h/h
fOQfjQVBACwsmvP0LknqcLqDjnEfQowwK3qSnVB88Ew0WB
+OlqsRImVJk8HQWy0CQQDbDhcMb2kl
Dtisbv8i3cmZkboK2BY5doRXLynC4wyxb901zkEHQflJDb5iMehcmNPqfoSveW1YocLPf5yoqEs9
AkEAn/XSHOobXwZTpYNOCy+O24R/LAPHVyr0lHG48Rig1KjjRhgmAdvcYvEtEVafk9mC
+NEbsxR7
PFKXHnSG95WvtQJBAKgvo0aq66HGSlnqRv3wJ28/UgYtbrLj6iw+S
+QUC5TYfJFpMMhvwQR0Bu7B
vtQJivuJ9Dn+ExRv7nD
+W7uqq0kCQAqCikWgFCBQOBq939jYTRibQgfQT76ocd13A2HD7n1Kg3RN
jeG9YmOV2RI0kNOUDQjwJFPF2rsB6i/0FBIcYakCQQDCG/UcMI4c8tCZJEO
+PU0U5f6eX7egEP+I
matDr8BVKz2yCdrbtUgUc8qhqhVF0/mhe7a1afVqWqCjsjwuDjIA
-----END RSA PRIVATE KEY-----

sha1('test') encrypted, using RSAES-OAEP, with the private key;

CVDf4iidejG41Oy2bAfW2yMkEYLRUCsKr4uexw43mrNoBOJBA6+8HuFZTjOLjkHpaKoqNztfuUcufpR1
uxUG85h5gS+Wio+LYHVttgWs3BFcWjVfGh8/audCMlJaFpZ2QR7ORu/VSioIJr3M+
+VZw4JgH9Xz3atF
Sw1yeFNRnEw=

Just extract the public key from the private key to verify.
From: Tom St Denis on 10 Mar 2010 13:55
On Mar 10, 11:57 am, yawnmoth <terra1...(a)yahoo.com> wrote:
> sha1('test') encrypted, using RSAES-OAEP, with the private key;
>
> CVDf4iidejG41Oy2bAfW2yMkEYLRUCsKr4uexw43mrNoBOJBA6+8HuFZTjOLjkHpaKoqNztfuUc ufpR1
> uxUG85h5gS+Wio+LYHVttgWs3BFcWjVfGh8/audCMlJaFpZ2QR7ORu/VSioIJr3M+
> +VZw4JgH9Xz3atF
> Sw1yeFNRnEw=
>
> Just extract the public key from the private key to verify.

Question: If you have OAEP why wouldn't you just write PSS as well?

Tom
 |  Next  |  Last
Pages: 1 2 3
Prev: commutative property of algorithms
Next: Why is Kerberos ever used, rather than modern public key cryptography?