Do RSA signatures really need padding?

Question

For encryption, we want identical plain-text's to encrypt to unique ciphers, also called Semantic Security.

For Signatures, the plain-text (i.e. message hash) is not a secret. The plain-text, if you can call it that, is publicly known. We don't need Semantic Security. There is no “plain-text”, so to speak. We aren’t encrypting.

So do we actually need padding in RSA Signatures? Does padding do more than make it harder to infer information about plain-texts (which is why we usually add it for encryption)? Or is it more of a, "well, it doesn't hurt?" situation?

What is the theory behind adding padding (PSS, PKCS, etc) to signatures?

Note: There is an existing question of similar title, but the question's body does not ask what the title asks.

possible dupe of Is there an easy way to make textbook RSA secure enough so it can be used in real life? 2) RSA signatures without padding? 3 Why hash the message before signing it with RSA? — kelalaka, Oct 22 '22 at 16:08
I think what you need to learn about the attack models on the signature schemes then your question will become more clear. Here read from here Relation between attack and attack model for signatures or on Wikipedia Digital Signature Forgery and see an attack here — kelalaka, Oct 24 '22 at 15:03

score 14 · Answer 1 · answered Oct 22 '22 at 14:17

14

Actually, we don't need padding; one alternative is 'full-domain-hashing'.

For example, if you have 2048 bit RSA key with modulus $n$, you might give the message to SHAKE and extract 2047 bits; and insert a 0 bit at the front. Take that and perform the RSA private operation on it, that's your signature.

It should be easy to prove that, assuming SHAKE acts like a random oracle, that this is secure assuming the RSA problem is hard (using the rerandomization property of RSA).

answered Oct 22 '22 at 14:17

poncho

147,019
11
229
360

1

There’s a trivial proof, which is quite loose. And then there is an optimal proof where the reduction is easy, but its analysis is a bit more involved. https://link.springer.com/chapter/10.1007/3-540-44598-6_14 – K.G. Oct 22 '22 at 18:14
So you’re saying as long as we sign a secure hash of the message, then padding is not necessary? Isn’t that what most signing algorithms already do? So padding (for signatures) is not necessary pretty much… ever? – randyrand Oct 24 '22 at 11:25
2

@randyrand: no, poncho is not saying that. SHA-256 is a secure hash for signature applications, but direct RSA signature of a SHA-256 hash is not secure. – fgrieu Oct 24 '22 at 11:43
@K.G. there is also this (https://link.springer.com/article/10.1007/s00145-017-9257-9) which is tighter but based on a different problem. – Ruggero Oct 25 '22 at 09:03
poncho, would you consider MGF1 in PSS a method of padding that turns a secure hash into a domain hash? Is there a grey area there? – Maarten Bodewes Oct 25 '22 at 10:19
Yes, I would consider MGF1 to be padding; however, that really is semantics... – poncho Oct 25 '22 at 11:07

score 11 · Answer 2 · edited Oct 23 '22 at 18:03

11

Yes, you need padding. Textbook RSA is very problematic. The simplest attack for signatures is probably malleability. Take two RSA signatures, multiply them you will get a valid signature for the multiplication.

edited Oct 23 '22 at 18:03

Glorfindel

462
1
10
18

answered Oct 22 '22 at 08:14

Meir Maor

11,835
1
23
54

I don’t see how padding would fix that issue. Can’t you still do that with padded signatures? Padded or unpadded, forging random new signatures is statistically useless, as long as your message is already a secure hash. (Thanks for your answer btw!!) – randyrand Oct 24 '22 at 11:10
If you do all or nothing padding you can't take message, signature pairs and create a new third pair. With textbook signature you can. If you have a message hash than this trivial attack won't work but you still could have issues with the hash being much shorter than the RSA key. And poncho suggested full domain hashing as an alternative to padding. – Meir Maor Oct 24 '22 at 13:55

fgrieu · Accepted Answer · 2022-10-25T08:56:16.703

7

do we actually need padding in RSA Signatures?

Yes if we want to:

Sign the hash of a message computed with a standard cryptographic hash like SHA-256, and resist attack in a chosen-messages setup (where the attacker can obtain the signature of some messages of their choice, and succeeds by signing any other message of their choice; so-called EUF-CMA security). In particular, if we directly RSA-sign a 256-bit hash, we are vulnerable to the Desmedt-Odlyzko attack.
Directly sign a message without hashing it. Textbook RSA signature of the bare message is insecure in more ways.

No is we have a wide-enough hash; and demonstrably so if the hash is (about) as wide as the public modulus. For references see this (currently unanswered) question asking exactly how wide the hash needs to be.

edited Oct 25 '22 at 08:56

answered Oct 24 '22 at 11:58

fgrieu

140,762
12
307
587

thanks for the clear answer! This makes sense with my broader understanding – randyrand Oct 25 '22 at 07:41
@randyrand: if an answer best/fully answers your question, the standard "thanks" is simply accepting it using the tick button ✓ on the left of the answer – fgrieu Oct 25 '22 at 08:54
1

Yes. just leaving time for other answers. – randyrand Oct 27 '22 at 21:01

Do RSA signatures really need padding?

3 Answers3