Skip to main content

Module pss

arcana::rsa

Module pss 

Source
Expand description

RSASSA-PSS signatures (RFC 8017 / PKCS#1 v2.2 §8.1).

PSS is the modern RSA signature padding; it supersedes PKCS#1 v1.5 signatures in every protocol that cares (TLS 1.3, JWS PS*, X.509 id-RSASSA-PSS, CMS, …). For new deployments this should be the default.

§Side-channel posture

PSS itself is structurally CT (no secret-dependent branches in the EMSA-PSS encode / decode), but it relies on the underlying super::rsa::rsa_decrypt_raw for the signing direction, which is currently not protected against the Bellcore single-fault attack (roadmap item T1-C — see arcana/doc/sca/countermeasures/rsa.rst). Coron-Mandal (Asiacrypt 2009) showed PSS is provably secure against random faults in a separate fault model, but practical Bellcore-class faults still recover the key — the proof assumes the underlying RSA primitive itself is fault-resistant.

§Algorithm (EMSA-PSS)

For a modulus of modBits bits and hash H with output hLen:

  1. mHash = H(message)
  2. Generate a random salt of sLen bytes (typically sLen == hLen)
  3. M' = (0x00)^8 || mHash || salt
  4. h = H(M')
  5. DB = PS || 0x01 || salt where PS is zero-padding
  6. maskedDB = DB XOR MGF1_H(h, len(DB))
  7. Clear the top 8*emLen - emBits bits of maskedDB[0] (emBits = modBits - 1)
  8. EM = maskedDB || h || 0xbc
  9. sig = EM^d mod n (RSASP1)

Verification reverses the process and re-checks h = H(M').

§API

use arcana::rsa::pss::{pss_sign_msg, pss_verify_msg};
use arcana::hash::sha256::Sha256;

let sig = pss_sign_msg::<Sha256>(&sk, msg, 32, &mut rng).unwrap();
assert!(pss_verify_msg::<Sha256>(&pk, msg, 32, &sig));

Precomputed-digest variants (pss_sign / pss_verify) are also exposed, matching the ECDSA API convention – the common case in protocol implementations is to receive an already-hashed digest from an upstream layer (X.509, CMS, …).

Functions§

pss_sign
RSASSA-PSS sign of a precomputed digest (RFC 8017 §8.1.1).
pss_sign_msg
Convenience: hash msg with H, then sign with a random salt.
pss_sign_with_salt
RSASSA-PSS sign with a caller-supplied salt (RFC 8017 §8.1.1).
pss_verify
RSASSA-PSS verify of a precomputed digest (RFC 8017 §8.1.2).
pss_verify_msg
Convenience: hash msg with H, then verify.