Cryptography Reference
In-Depth Information
Encrypt
algorithm. Obviously, one can split the output of the RSA
Sign
algorithm
into two input blocks for the RSA
Encrypt
algorithm and then encrypt each block
individually. Unfortunately, there are situations where this type of reblocking is not
feasible. In these situations, one may consider one of the following three possibilities
to avoid the reblocking problem in the first place:
•
One can prescribe the form of the moduli to make sure that the reblocking
problem does not occur.
•
One can enforce that the operation using the smaller modulus is applied first.
In this case, however, it may happen that a message is first encrypted and then
digitally signed.
•
One can equip each user with two public key pairs. One pair has a “small”
modulus and is used by the RSA
Sign
algorithm, and the other pair has a
“large” modulus and is used by the RSA
Encrypt
algorithm.
The first possibility is not recommended, because it is difficult to prescribe the
form of the moduli in some binding way. The second possibility is not recommended
either, because conditional reordering can change the meaning of the cryptographic
protection one wants to implement. So the third possibility is often the preferred
choice. Unfortunately, using two public key pairs per user also increases the key
management overhead.
In summary, the RSA DSS can be considered reasonably secure. This is
particularly true if the modulus
n
is sufficiently large. In fact,
n
must be at least large
enough to make it computationally infeasible to factorize it with any known integer
factorization algorithm. As we said before (in the context of the RSA asymmetric
encryption system), this means that
n
should be at least 1,024 bits long. Because
digital signatures are often valuable (digital) goods, it is often recommended to use
longer moduli, such as 2,048 bits. Also, for all practical purposes, it is recommended
to use RSA as a DSS with appendix and to use a cryptographic hash function
accordingly. It is obvious that one then has to select a cryptographic hash function
(e.g., MD5 or SHA-1). It is less obvious that one also has to select an expansion
function, such as
h
PKCS
#1
(
m
) or the one employed by the PSS and the PSS-R.
The choice of an appropriate expansion function is particularly important if one
wants to prove or show security claims for the resulting DSS. We revisit this topic
in Section 15.3.
15.2.2
ElGamal
In Section 14.2.3, we introduced the ElGamal asymmetric encryption system and
mentioned that the ElGamal public key cryptosystem as suggested in [7] also yields
