PSS code question
Daiki Ueno
ueno at unixuser.org
Thu Jun 9 10:40:04 CEST 2011
Werner Koch <wk at gnupg.org> writes:
> Having said this, I'd propose to change the semantics and require that
> mHash is passed to gcry_pk_sign and gcry_pk_verify if PSS is used.
> rfc-3447 actually allows this:
>
> 3. Without compromising the security proof for RSASSA-PSS, one may
> perform steps 1 and 2 of EMSA-PSS-ENCODE and EMSA-PSS-VERIFY (the
> application of the hash function to the message) outside the
> module that computes the rest of the signature operation, so that
> mHash rather than the message M itself is input to the module. In
> [...]
>
> Shall I do these changes?
Certainly - thanks for pointing out this.
> I'd also like to see a way to test at least the verification of a PSS
> message against a known test vector. Are there any real world
> application of PSS or even test vectors?
I used the test vectors Simon mentioned, manually comparing the step
results with pss-int.txt. Maybe good to have selftests using the test
vector, though I guess it is not that easy since both PSS and OAEP use
random bits during the computation.
Regards,
--
Daiki Ueno
More information about the Gcrypt-devel
mailing list