Re: OAEP vs. PSS in PKCS#1

"yawnmoth" <terra1024@xxxxxxxxx> wrote in message news:ae8d6793-9903-415e-8a09-60a5a4058472@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Why doesn't PKCS#1 just create signatures by encrypting the hash?

Because there are attacks against the direct encryption of the hash.

have the Probabilistic Signature Scheme when you could just use
Optimal Asymmetric Encryption Padding on the hash?

Its about the proof of security. The proof for OAEP doesn't apply to signatures, the proof for PSS applies directly to signatures. OAEP is probably safe for signatures with a few modifications, but the PSS proof is more convenient.

The only thing I
can figure is this: that OAEP could be used but because it has,
embedded within it, a hash of the message, it requires larger keys
than PSS requires.

Actually the key size makes no difference. The key sizes required for security are larger than the key sizes required for either OAEP or PSS.


Relevant Pages

  • Re: Public key encryption
    ... The trouble is that RSA is only ... domain hash". ... Actually PSS shows that you can relax this condition very slightly, ... but if you use IEEE 1363 signatures then you get a free license to the ...
  • Re: rsa implementation question
    ... > public key ciphers work in Z. ... and now part of the federal standard for digital signatures, ... Actually, I was the one who wrote "Always hash and pad, for any ... randomness is a good thing. ...
  • Re: Public key encryption
    ... > messages as to break the hash algorithm. ... it amounts to equivalence to the RSA problem. ... anything that can forge PSS signatures can do arbitrary RSA ... > message is small compared to the encryption exponent but still a hash ...
  • Re: [Full-disclosure] Signature or checksum? (was: MD5 considered harmful)
    ... otherwise authenticated MD5/SHA-256 hash. ... Otherwise, if I'm an attacker, ... the use of signatures provides less security than comparing ...
  • Re: Secure key exchange with hashing and the birthday paradox
    ... puzzled me that you can do digital signatures with conventional hash ... functions, i.e. with Diffie-Lamport and Merkle hash trees, but there's ... a public-key signature scheme out of any one-way permutation. ... construction of a public-key key exchange protocol out of any one-way ...