Paper 2001/053

Security Proofs for the RSA-PSS Signature Scheme and Its Variants

Jakob Jonsson

Abstract

We analyze the security of different versions of the adapted RSA-PSS signature scheme, including schemes with variable salt lengths and message recovery. We also examine a variant with Rabin-Williams (RW) as the underlying verification primitive. Our conclusion is that the security of RSA-PSS and RW-PSS in the random oracle model can be tightly related to the hardness of inverting the underlying RSA and RW primitives, at least if the PSS salt length is reasonably large. Our security proofs are based on already existing work by Bellare and Rogaway and by Coron, who examined signature schemes based on the original PSS encoding method.

Metadata
Available format(s)
PS
Category
Public-key cryptography
Publication info
Published elsewhere. An extended abstract of this paper is published in the proceedings of the Second Open NESSIE Workshop, 12-13 September 2001.
Keywords
digital signaturesfactoringpublic-key cryptographyRSA
Contact author(s)
jjonsson @ rsasecurity com
History
2002-03-21: last of 6 revisions
2001-06-27: received
See all versions
Short URL
https://ia.cr/2001/053
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2001/053,
      author = {Jakob Jonsson},
      title = {Security Proofs for the RSA-PSS Signature Scheme and Its Variants},
      howpublished = {Cryptology ePrint Archive, Paper 2001/053},
      year = {2001},
      note = {\url{https://eprint.iacr.org/2001/053}},
      url = {https://eprint.iacr.org/2001/053}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.