RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 8017, "PKCS #1: RSA Cryptography Specifications Version 2.2", November 2016

Source of RFC: IETF - NON WORKING GROUP

Errata ID: 5577
Status: Verified
Type: Editorial
Publication Format(s) : TEXT

Reported By: Dave Thompson
Date Reported: 2018-12-16
Verifier Name: Benjamin Kaduk
Date Verified: 2019-01-05

Section B.1 says:

   As of today, the best (known) collision attacks against these hash
   functions are generic attacks with complexity 2L/2, where L is the
   bit length of the hash output.  For the signature schemes in this
   document, a collision attack is easily translated into a signature
   forgery.  Therefore, the value L / 2 should be at least equal to the
   desired security level in bits of the signature scheme (a security
   level of B bits means that the best attack has complexity 2B).  The

It should say:

   As of today, the best (known) collision attacks against these hash
   functions are generic attacks with complexity 2^(L/2), where L is the
   bit length of the hash output.  For the signature schemes in this
   document, a collision attack is easily translated into a signature
   forgery.  Therefore, the value L / 2 should be at least equal to the
   desired security level in bits of the signature scheme (a security
   level of B bits means that the best attack has complexity 2^B).  The

Notes:

Superscripting presumably lost in translation from the original. RFC 3447 (for v2.1) had these correct. To a person familiar with the art they are obvious typos (Editorial) but to other readers they could change the meaning.

Report New Errata