Submission to IEEE P1363 PSS: Provably Secure Encoding Method for Digital Signatures

We describe two encoding methods: EMSA-PSS, for signing with appendix, and EMSR-PSS, for signing with message recovery. These encodings are appropriate for signatures based on the RSA or Rabin/Williams primitive. The methods are as simple and e cient as the methods in the current P1363 draft (based on X9.31 and ISO 9796), but they have better demonstrated security. In particular, treating the underlying hash function as ideal, EMSA-PSS and EMSR-PSS give rise to provably-secure schemes: the ability to forge implies the ability to invert the underlying trapdoor permutation. In fact, when the underlying primitive is RSA, the schemes are not only provably secure, but are so in a tight way: the ability to forge with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with essentially the same computational resources. Additional bene ts are described in the body of this paper. The methods described in this contribution are from our Eurocrypt '96 paper, The exact security of digital signatures| How to sign with RSA and Rabin [3]. Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093. E-Mail: [email protected]. URL: http://www-cse.ucsd.edu/users/mihir. Supported by NSF CAREER Award CCR-9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science, University of California at Davis, Davis, California 95616. Email: [email protected]. URL: http://www.cs.ucdavis.edu/~rogaway. Supported by NSF CAREER Award CCR-9624560, and RSA Data Security { MICRO Grant 97-150.