# Bibliography on RSA ###### tags: `bibliography` # Papers ## Variants of Bleichenbacher’s Low-Exponent Attack on PKCS\#1 RSA Signatures * https://download.hrz.tu-darmstadt.de/pub/FB20/Dekanat/Publikationen/CDC/sigflaw.pdf * SICHERHEIT 2008 * ## The exact security of digital signatures: How to sign with RSA and Rabin * Mihir Bellare and Phillip Rogaway, EUROCRYPT '96' * https://web.cs.ucdavis.edu/%7Erogaway/papers/exact * Original scheme in Figure 1 ## PKCS #1 v2.2 * https://www.ietf.org/rfc/rfc8017.html ## Evaluation of Security Level of Cryptography: RSA-OAEP, RSA-PSS, RSA Signature * By Alfred Menezes, 2001 * Figure 3 (PSS encoding) uses a Trailer Field (TF), which can be either a single octet 0xbc or the concatenation of two octet HID and 0xcc, where HID is the single octet identifer of the hash function as specified in the ISO/IEC 10118 standard. This follows IEEE P1363a. But in PKCS \#1 v1.5, TF is a single octet 0xbc. * Number field sieve (NFS) was invented in 1990. Now it's considered the main method of facotoring algorithms. * **Broadcast attack** (when e=3 is used for encryption): a good and concise summary. * e=3 for encryption considered risky; suggest to have e at least 2^{16} + 1 * RSA-OAEP: have a security proof but not tight. This has impact on the choice of parameters. * RSA-PSS: Have a tigh security proof. However, the length of salt is vague in the PKCS \#1 v2.1 standard. ## RSA-PSS -- provably secure RSA Signature and their Implementation v1.0.3 * Johannes Bock, dissertation, 2011 * https://rsapss.hboeck.de/rsapss-1.0.3.pdf * A good covarge of RSA-PSS. Easy read. Not an authoritative reference though. * "Usually today`s RSA implementations use an exponent of e = 65537 - a tradeoff  between very big exponents that make veri cation very slow and very small exponents that seem risky. e = 65537 avoids all known attacks against small exponents. The NIST recommendations do not allow exponents smaller than 65537 (page 6 in [NIST, 2010])." * "For applications requiring signature validity for up to 10 years, PSS with a minimum salt length of 64 bit is the only suggested padding scheme (chapter 9.3, page 29 in [ETSI, 2007])."