PSS code question

Daiki Ueno ueno at
Thu Jun 9 10:40:04 CEST 2011

Werner Koch <wk at> writes:

> Having said this, I'd propose to change the semantics and require that
> mHash is passed to gcry_pk_sign and gcry_pk_verify if PSS is used.
> rfc-3447 actually allows this:
>    3. Without compromising the security proof for RSASSA-PSS, one may
>       perform steps 1 and 2 of EMSA-PSS-ENCODE and EMSA-PSS-VERIFY (the
>       application of the hash function to the message) outside the
>       module that computes the rest of the signature operation, so that
>       mHash rather than the message M itself is input to the module.  In
>       [...]
> Shall I do these changes?

Certainly - thanks for pointing out this.

> I'd also like to see a way to test at least the verification of a PSS
> message against a known test vector.  Are there any real world
> application of PSS or even test vectors?

I used the test vectors Simon mentioned, manually comparing the step
results with pss-int.txt.  Maybe good to have selftests using the test
vector, though I guess it is not that easy since both PSS and OAEP use
random bits during the computation.

Daiki Ueno

More information about the Gcrypt-devel mailing list