RSA Signature Scheme¶
links: AC2 TOC - Digital Signatures - Index
See RSA to understand the basics.
Let
Again as in the encrypt-decrypt cycle in RSA, the signature and verify cycle relies on the inverse feature of the two keys leveraged. Signing is done by applying a modular exponentiation to the message using the senders private key
Security¶
Textbook RSA should never be implemented like that as it's not EUF-CMA secure:
- Textbook RSA is deterministic (same message always gives the same result)
- Textbook RSA is multiplicative (The attacker can choose
and , get signatures on them, and then construct a valid signature on the message , even though they never got a signature on that message)
Sign the hash not the message!
Hash-and-Sign¶
Sign
RSA-SHA¶
RSA-FDH (RSA-PSS)¶
Standardised in PKCS#1 v2.1 as RSA-PSS (probabilistic signature scheme)
EUF-CMA secure under RSA assumption (provided that
See more details here: FDH
links: AC2 TOC - Digital Signatures - Index