7

For encryption, we want identical plain-text's to encrypt to unique ciphers, also called Semantic Security.

For Signatures, the plain-text (i.e. message hash) is not a secret. The plain-text, if you can call it that, is publicly known. We don't need Semantic Security. There is no “plain-text”, so to speak. We aren’t encrypting.

So do we actually need padding in RSA Signatures? Does padding do more than make it harder to infer information about plain-texts (which is why we usually add it for encryption)? Or is it more of a, "well, it doesn't hurt?" situation?

What is the theory behind adding padding (PSS, PKCS, etc) to signatures?

Note: There is an existing question of similar title, but the question's body does not ask what the title asks.

randyrand
  • 173
  • 1
  • 5

3 Answers3

14

Actually, we don't need padding; one alternative is 'full-domain-hashing'.

For example, if you have 2048 bit RSA key with modulus $n$, you might give the message to SHAKE and extract 2047 bits; and insert a 0 bit at the front. Take that and perform the RSA private operation on it, that's your signature.

It should be easy to prove that, assuming SHAKE acts like a random oracle, that this is secure assuming the RSA problem is hard (using the rerandomization property of RSA).

poncho
  • 154,064
  • 12
  • 239
  • 382
11

Yes, you need padding. Textbook RSA is very problematic. The simplest attack for signatures is probably malleability. Take two RSA signatures, multiply them you will get a valid signature for the multiplication.

Glorfindel
  • 506
  • 1
  • 11
  • 22
Meir Maor
  • 12,053
  • 1
  • 24
  • 55
7

do we actually need padding in RSA Signatures?

Yes if we want to:

  • Sign the hash of a message computed with a standard cryptographic hash like SHA-256, and resist attack in a chosen-messages setup (where the attacker can obtain the signature of some messages of their choice, and succeeds by signing any other message of their choice; so-called EUF-CMA security). In particular, if we directly RSA-sign a 256-bit hash, we are vulnerable to the Desmedt-Odlyzko attack.
  • Directly sign a message without hashing it. Textbook RSA signature of the bare message is insecure in more ways.

No is we have a wide-enough hash; and demonstrably so if the hash is (about) as wide as the public modulus. For references see this (currently unanswered) question asking exactly how wide the hash needs to be.

fgrieu
  • 149,326
  • 13
  • 324
  • 622