This article was accepted into the corpus but its outbound wikilinks were never NER-processed — typical at the deepest BFS hop or when the run's entity cap was reached. No expansion funnel to show.
| RSA-PSS | |
|---|---|
| Name | RSA-PSS |
| Type | Signature scheme |
| Introduced | 2001 |
| Designers | Bellare, Rogaway, Shoup |
| Standard | PKCS#1 v2.1, RFC 8017 |
RSA-PSS is a probabilistic signature scheme based on RSA that provides provable security in the random oracle model and is widely adopted in cryptographic standards and protocols. It combines the Rivest–Shamir–Adleman public-key algorithm with a mask generation function and a hash function to produce signatures that resist chosen-message attacks. RSA-PSS has been standardized by bodies such as the Internet Engineering Task Force, ISO/IEC, and the RSA Laboratories consortium, and is implemented in libraries used by products from Microsoft, Apple Inc., Google, Mozilla, and OpenSSL-based projects.
RSA-PSS is a signature encoding method that augments the classic Rivest–Shamir–Adleman algorithm with probabilistic padding to achieve stronger security guarantees. It was proposed by Mihir Bellare, Phil Rogaway, and Thomas Shrimpton (building on earlier work by Victor Shoup) and is often referenced alongside standards such as PKCS#1 and RFC 8017. Implementations appear in toolchains and frameworks from OpenSSL, LibreSSL, BoringSSL, WolfSSL, and in proprietary stacks by IBM, Intel, and Amazon Web Services.
The design of RSA-PSS emerged in the late 1990s and early 2000s amid a wave of research led by academics at institutions including University of California, San Diego, University of California, Davis, and Microsoft Research. Early formalizations by Mihir Bellare, Phillip Rogaway, and Tadayoshi Kohno influenced the move toward provable security. RSA-PSS was incorporated into PKCS#1 v2.1 by RSA Laboratories and later referenced in IETF documents; RFC 3447 and RFC 8017 describe related encoding schemes. Standards bodies such as ISO/IEC JTC 1 and national agencies like NIST recommended or recognized RSA-PSS for federal and international use, influencing adoption by vendors such as Cisco Systems, Juniper Networks, and F5 Networks.
RSA-PSS uses a hash function (e.g., SHA-256, SHA-1, SHA-512) and a mask generation function (MGF1) to produce a padded message representative before RSA exponentiation with a private key. The signing operation involves hashing the message, generating a random salt, applying MGF1, and combining the components into an encoded message EM that is then processed by the RSA private exponent. Verification reverses the process using the public exponent and checks consistency of the hash, salt, and padding. PSS parameters include the chosen hash, the salt length, and the mask generation function; these parameters are often expressed in X.509 certificates and used by protocols like TLS and SSH.
RSA-PSS is notable for its provable security: under the assumption that RSA inversion is hard and modeling the hash as a random oracle, RSA-PSS achieves existential unforgeability against adaptive chosen-message attacks. Foundational proofs were developed by Mihir Bellare, Phillip Rogaway, and T. Shoup and extended by researchers at UC Berkeley and Columbia University. Security analyses reference hardness assumptions studied by scholars such as Dan Boneh and Oded Goldreich and are evaluated in threat models used by NIST and the IETF working groups. Cryptanalytic scrutiny from researchers at Cryptography Research, Inc. and academic conferences like CRYPTO, EUROCRYPT, and ASIACRYPT further solidified confidence in the scheme.
RSA-PSS is implemented in major cryptographic libraries including OpenSSL, BoringSSL, LibreSSL, GnuTLS, WolfSSL, and Microsoft CryptoAPI; it is available in programming frameworks such as Java Platform, Standard Edition's Java Cryptography Architecture, .NET Framework, Go (programming language), and OpenJDK. Protocols that support or recommend RSA-PSS include TLS 1.3, S/MIME, SSH, and CMS. Adoption in commercial and open-source products spans Red Hat, Debian, Ubuntu (operating system), Android (operating system), iOS, and cloud providers like Google Cloud Platform and Amazon Web Services which offer hardware-backed keys via FIDO and PKCS#11 interfaces.
Performance of RSA-PSS is dominated by RSA key operations; software optimizations leverage assembly routines from vendors like Intel and AMD and accelerator support in ARM and IBM Power processors. Hardware security modules (HSMs) from Thales Group, Entrust, and Yubico often provide RSA-PSS offload. Compatibility considerations arise when interoperating with legacy systems that expect deterministic schemes like RSA with PKCS#1 v1.5 padding; migration and negotiation behaviors are specified in protocols defined by IETF and guidance from NIST.
While RSA-PSS mitigates many padding-based attacks that affected older schemes, its security depends on correct parameter selection and robust random salt generation. Improper use of weak hash functions such as MD5 or misuse in constrained random environments can weaken guarantees. Side-channel attacks researched at Vrije Universiteit Amsterdam, KU Leuven, and ETH Zurich show that timing, power analysis, and fault-injection attacks can compromise private keys if implementations lack countermeasures; mitigations include constant-time algorithms and blinding techniques advocated by Cryptography Research, Inc. and standards from NIST. Historical incidents involving misconfiguration in products from vendors like RSA Security and deployment errors in OpenSSL-based services underscore the importance of following standards from IETF and recommendations by OWASP-related groups.
Category:Digital signature schemes