Do RSA signatures really need padding?

Question

For encryption, we want identical plain-text's to encrypt to unique ciphers, also called Semantic Security.

For Signatures, the plain-text (i.e. message hash) is not a secret. The plain-text, if you can call it that, is publicly known. We don't need Semantic Security. There is no “plain-text”, so to speak. We aren’t encrypting.

So do we actually need padding in RSA Signatures? Does padding do more than make it harder to infer information about plain-texts (which is why we usually add it for encryption)? Or is it more of a, "well, it doesn't hurt?" situation?

What is the theory behind adding padding (PSS, PKCS, etc) to signatures?

Note: There is an existing question of similar title, but the question's body does not ask what the title asks.

possible dupe of Is there an easy way to make textbook RSA secure enough so it can be used in real life? 2) RSA signatures without padding? 3 Why hash the message before signing it with RSA? — kelalaka
– kelalaka, Commented Oct 22, 2022 at 16:08
I think what you need to learn about the attack models on the signature schemes then your question will become more clear. Here read from here Relation between attack and attack model for signatures or on Wikipedia Digital Signature Forgery and see an attack here — kelalaka
– kelalaka, Commented Oct 24, 2022 at 15:03

fgrieu · Accepted Answer · 2022-10-25 08:56:16Z

do we actually need padding in RSA Signatures?

Yes if we want to:

Sign the hash of a message computed with a standard cryptographic hash like SHA-256, and resist attack in a chosen-messages setup (where the attacker can obtain the signature of some messages of their choice, and succeeds by signing any other message of their choice; so-called EUF-CMA security). In particular, if we directly RSA-sign a 256-bit hash, we are vulnerable to the Desmedt-Odlyzko attack.
Directly sign a message without hashing it. Textbook RSA signature of the bare message is insecure in more ways.

No is we have a wide-enough hash; and demonstrably so if the hash is (about) as wide as the public modulus. For references see this (currently unanswered) question asking exactly how wide the hash needs to be.

thanks for the clear answer! This makes sense with my broader understanding — randyrand
– randyrand, Commented Oct 25, 2022 at 7:41
@randyrand: if an answer best/fully answers your question, the standard "thanks" is simply accepting it using the tick button ✓ on the left of the answer — fgrieu
– fgrieu ♦, Commented Oct 25, 2022 at 8:54

poncho · Accepted Answer · 2022-10-22 14:17:34Z

14

Actually, we don't need padding; one alternative is 'full-domain-hashing'.

For example, if you have 2048 bit RSA key with modulus $n$, you might give the message to SHAKE and extract 2047 bits; and insert a 0 bit at the front. Take that and perform the RSA private operation on it, that's your signature.

It should be easy to prove that, assuming SHAKE acts like a random oracle, that this is secure assuming the RSA problem is hard (using the rerandomization property of RSA).

answered Oct 22, 2022 at 14:17

poncho♦

155k12 gold badges242 silver badges384 bronze badges

1

$\begingroup$ There’s a trivial proof, which is quite loose. And then there is an optimal proof where the reduction is easy, but its analysis is a bit more involved. link.springer.com/chapter/10.1007/3-540-44598-6_14 $\endgroup$

K.G.
– K.G.

2022-10-22 18:14:56 +00:00
Commented Oct 22, 2022 at 18:14
$\begingroup$ So you’re saying as long as we sign a secure hash of the message, then padding is not necessary? Isn’t that what most signing algorithms already do? So padding (for signatures) is not necessary pretty much… ever? $\endgroup$

randyrand
– randyrand

2022-10-24 11:25:20 +00:00
Commented Oct 24, 2022 at 11:25
2

$\begingroup$ @randyrand: no, poncho is not saying that. SHA-256 is a secure hash for signature applications, but direct RSA signature of a SHA-256 hash is not secure. $\endgroup$

fgrieu
– fgrieu ♦

2022-10-24 11:43:19 +00:00
Commented Oct 24, 2022 at 11:43
$\begingroup$ @K.G. there is also this (link.springer.com/article/10.1007/s00145-017-9257-9) which is tighter but based on a different problem. $\endgroup$

Ruggero
– Ruggero

2022-10-25 09:03:43 +00:00
Commented Oct 25, 2022 at 9:03
$\begingroup$ poncho, would you consider MGF1 in PSS a method of padding that turns a secure hash into a domain hash? Is there a grey area there? $\endgroup$

Maarten Bodewes
– Maarten Bodewes ♦

2022-10-25 10:19:59 +00:00
Commented Oct 25, 2022 at 10:19

| Show 1 more comment

Glorfindel · Accepted Answer · 2022-10-23 18:03:49Z

11

Yes, you need padding. Textbook RSA is very problematic. The simplest attack for signatures is probably malleability. Take two RSA signatures, multiply them you will get a valid signature for the multiplication.

edited Oct 23, 2022 at 18:03

Glorfindel

5181 gold badge11 silver badges22 bronze badges

answered Oct 22, 2022 at 8:14

Meir Maor

12.2k1 gold badge25 silver badges56 bronze badges

$\begingroup$ I don’t see how padding would fix that issue. Can’t you still do that with padded signatures? Padded or unpadded, forging random new signatures is statistically useless, as long as your message is already a secure hash. (Thanks for your answer btw!!) $\endgroup$

randyrand
– randyrand

2022-10-24 11:10:30 +00:00
Commented Oct 24, 2022 at 11:10
$\begingroup$ If you do all or nothing padding you can't take message, signature pairs and create a new third pair. With textbook signature you can. If you have a message hash than this trivial attack won't work but you still could have issues with the hash being much shorter than the RSA key. And poncho suggested full domain hashing as an alternative to padding. $\endgroup$

Meir Maor
– Meir Maor

2022-10-24 13:55:36 +00:00
Commented Oct 24, 2022 at 13:55

Add a comment |

Stack Exchange Network

Do RSA signatures really need padding?

3 Answers 3

Linked

Hot Network Questions

Do RSA signatures really need padding?

3 Answers 3

Linked

Related

Hot Network Questions