[Cryptography] Why RSA-PSS is much less secure than PKCS #1 v1.5

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Nov 12 02:29:37 EST 2019

Thierry Moreau <thierry.moreau at connotech.com> writes:

>What is the relevance of a side-channel vulnerability for signature
>*validation* which handles only public data?

Sure, good point.  However given the general concern about side-channel
protection (I know of at least one crypto library that implement side-channel
protection in the public-key ops, just in case someone finds something to
exploit there), designing a scheme that makes it essentially impossible to
create a non-side-channeled implementation is kinda bad.

>P.S. Do we have an ASN.1 Org Id for CRC-256 hash algorithm?

We do now:

  crc256   OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 3029 3 1 }
  xor256   OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 3029 3 2 }

I prefer xor256 because you can create completely standard messages with the
same hash value as the intended target, without having to stuff in a few bytes
of binary data as for the CRC.  If I get time over the weekend, and I can find
a CMS message signed with RSA-PSS, I'll create a forgery using xor256.


More information about the cryptography mailing list