On Monday 06 March 2006 14:25, chendongdong wrote: > ... > Which kind of salt should I provide?
from RSA's submission to the NESSIE project (annex-B, page 8): "RSA-PSS is different than other RSA-based signature schemes in that it is probabilistic rather than deterministic, incorporating a randomly generated salt value. The salt value enhances the security of the scheme by affording a “tighter” security proof than deterministic alternatives such as Full Domain Hashing (FDH) (see [14] for discussion). However, the randomness is not critical to security. In situations where random generation is not possible, a fixed value or a sequence number could be employed instead, with the resulting provable security similar to that of FDH [15]. The randomness also reduces the requirements on the underlying hash function. Since an opponent does not know which salt value the signer will select, finding a collision in the hash function (two messages with the same hash value) does not enable an opponent to forge signatures. Accordingly, the collision-resistance of the hash function is not as important as in a deterministic signature scheme." i hope this answers your question. cheers; rsn
pgplN2nPT8RdZ.pgp
Description: PGP signature
_______________________________________________ gnu-crypto-discuss mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-crypto-discuss
