Cryptography Reference
In-Depth Information
M
H
(
L
)
00
···
01
seed
MGF
k
−
hLen
−
1
⊕
⊕
MGF
hLen
00
maskedSeed
maskedDB
Figure 9.10.
OAEP Preformatting for RSA.
3. Pick a random byte string of length hLen denoted seed.
4. Set dbMask to MGF
k
−
hLen
−
1
(seed).
5. Set maskedDB to DB
dbMask.
6. Set seedMask to MGF
hLen
(maskedDB).
7. Set maskedSeed to seed
⊕
seedMask.
8. Set EM (as for “Encoded Message”) to the concatenated string 00
⊕
||
maskedSeed
maskedDB. Note that this string is of length
k
.
9. This byte string is converted into an integer.
10. We compute the plain RSA encryption.
11. We convert the result into a string of
k
bytes.
||
Note that the OAEP padding is indeed a two-round Feistel scheme. The decryption is
then straightforward.
1. We convert the ciphertext into an integer. We reject it if it is greater than the
modulus.
2. We perform the plain RSA decryption and obtain another integer.
3. We convert back the integer into a byte string.
4. We parse the string to 00
||
||
maskedSeed
maskedDB where maskedSeed is
of length hLen.
5. Set seedMask to MGF
hLen
(maskedDB).
6. Set seed to maskedSeed
seedMask.
7. Set dbMask to MGF
k
−
hLen
−
1
(seed).
8. Set DB to maskedDB
⊕
dbMask.
9. We check that DB has the
H
(
L
)
⊕
||
00
||···||
00
||
01
||
M
.
10. We output
M
.
Search WWH ::
Custom Search