So I read on wikipedia that digital signatures need padding (like PSS) and I know this is true for RSA. But now I ask myself does DSA also need padding?
Asked
Active
Viewed 801 times
1 Answers
2
The short answer is no or yes, depending on how you look at it.
With RSA, as specified in PKCS#1, the message to sign is first hashed, and the hash value is "converted" into an integer modulo n (where n is the modulus, a part of the RSA key pair). In the old versions of the standard, that conversion is indeed a kind of padding (extra bytes are concatenated to the hash value, and the result is interpreted as an integer modulo n with big-endian convention). The newer padding, named "PSS", is a bit more complex and implies more work than mere concatenation, but we still call it "padding", mostly out of tradition.
Details of the padding turned out to be very important to the security of RSA as a signature scheme (the modular exponentiation of RSA is malleable, which is a problem for signatures, and the padding fixes that).
In DSA, as specified in FIPS 186-3, the input message is also hashed, and the hash value is also converted into a modular integer (modulo q, the size of the subgroup used by the key). This calls for a conversion of "some bytes" to "an integer", which could be called "padding", too (it is no more preposterous than calling PSS a type of "padding"). It so happens that DSA has much fewer requirements for this conversion, so it is defined with a rather simple conversion process: the hash value is truncated or expanded to the length of q (in bits), by adding zeros (on the "left"); then the resulting sequence of bytes is converted to an integer (big-endian convention again), and reduced modulo q (since the sequence was made to match the length of q, this reduction is computationally easy).
So we can say that there is some padding in DSA, but a simple padding with only zeros.
Tom Leek
- 168,808
- 28
- 337
- 475