Cryptography Reference
In-Depth Information
m
e
mod
n
∈ Z
n
(Here,
m
Z
n
given by its
binary representation, and encrypted with the RSA function using the public key.
The resulting ciphertext
c
:=
5.
c
is regarded as an element of
∈ Z
n
may also be regarded as a bit string of length
k
completing with zeros on the left if necessary).
The output of
Enc
is the ciphertext
c
.
•
Dec
: Given the ciphertext
c
∈ Z
n
and the private key
(
n
,
d
)
, the following values
are successively computed:
c
d
mod
n
1.
w
∈ Z
n
, which can be regarded, by using its binary expansion
completed with leading zeros if necessary, as an element of
:=
k
.
{
0
,
1
}
2.
s
denote, respectively, the
i
most significant bits and the
i
least significant bits of a bit string
b
).
:=
MSB
k
−
k
0
−
1
(
w
)
(recall that
MSB
i
(
b
)
and
LSB
i
(
b
)
3.
t
:=
LSB
k
0
(
w
)
.
4.
r
:=
H
(
s
)
⊕
t
.
5.
z
:=
G
(
r
)
⊕
s
.
6.
u
:=
LSB
k
1
(
z
)
.
7.
m
:=
MSB
l
(
z
)
.
0
k
1
and
The output of
Dec
is
m
if
u
=
⊥
otherwise (in this case the ciphertext is
rejected).
OAEP is the padding method implicitly defined above. It encodes the message
m
as
m
:=
t
, where
s
and
t
are as in Definition 8.13. A graphical
depiction of OAEP padding is the following:
OAEP
(
m
,
r
)
=
s
||
