RSASSA-PSS is an improved probabilistic signature scheme with appendix. What that means is that you can use a private RSA key to sign data in combination with some random input. The other side of the communication can then verify the signature with the corresponding public RSA key. Because random data is used in this signature scheme, two signatures for the same input are different and both can be used to verify the original data.

RSASSA-PSS was standardized in PKCS#1 v2.1. It can be used as an alternative to the more widespread RSASSA algorithm in PKCS#1 v1.5.


From a general standpoint, RSASSA-PSS is more robust than RSASSA-PKCS1-v1_5. With RSASSA-PSS you do not have to take as many extra precautions in order to use it securely as you need to with the older version.

But the original RSASSA is more widely supported by existing protocols and software. For instance the SSL protocol only supports RSASSA PKCS#1-v1.5 for RSA signatures and does not support RSASSA-PSS.

So although RSASSA-PSS is preferred from

mbed TLS support of RSASSA-PSS

mbed TLS fully supports RSASSA-PSS directly in its RSA module. In order to use RSA as specified in PKCS#1 v2.1 with for instance SHA1 as the hash method, you should initialize your RSA context with:

mbedtls_rsainit( &rsa, RSA_PKCS_V21, MBEDTLS_MD_SHA256);

After loading the RSA key into that context, you can then use it to sign using the RSASSA-PSS scheme by using the generic mbedtls_rsapkcs1_sign() for signing and mbedtls_rsapkcs1_verify() for verification or the more specific mbedtls_rsarsassa_pss_sign() and mbedtls_rsarsassa_pss_verify().

Did this help?