Cryptography Reference
In-Depth Information
=
as byte strings; for example, if
n
is a 2048-bit modulus, then we have
k
256. We
also remark that in PKCS #1 v2.1 the decryption exponent
d
corresponding to an
RSA public key
(
n
,
e
)
is only required to be a positive integer less than
n
satisfying
ed
. Thus, in general,
d
may take several possible values, among
which we find the one in our definition, namely, the inverse of
e
in
≡
1
(
mod
λ(
n
))
Z
φ(
n
)
, and also
Z
λ(
n
)
the variant in which
d
is the inverse of
e
in
. As we have remarked, these two
values are, in general, distinct and, when this is the case, the latter is smaller than
the former.
•
A hash function Hash whose outputs are
hLen
bytes in length. We will later take
Hash = SHA-256 in our implementation, so that in this case
hLen
32 (this is
the value—given in bytes—for the parameter
k
0
in the previous description of
RSA-OAEP).
=
•
A
Mask Generating Function
MGF that takes as input a byte string
mgfSeed
and a
desired output length
maskLen
2
32
hLen
, and produces as output MGF(
mgfSeed
,
maskLen
)=
mask
, where
mask
is a byte string of length
maskLen
. MGF will be
defined fromHash according to the recommendation in [154], as follows. Consider
the byte strings:
≤
Hash
(
mgfSeed
||
i
),
0
≤
i
≤
maskLen
/
hLen
−
1
,
where
i
is regarded as a byte string of length 4. Successively concatenate all of
them to obtain:
T
:=
Hash
(
mgfSeed
||
1
)
||
Hash
(
mgfSeed
||
2
)
||
...
and output
mask
, the string consisting of the leading
maskLength
bytes of
T
.
•
A message
M
to be encrypted, given as a byte string of length
mLen
, where
mLen
≤
k
−
2
hLen
−
2.
•
An optional label
L
to be associated with the message, with default value the
empty string.
•
The ciphertext
C
, a byte string of length
k
.
We next describe the algorithms used by RSAES-OAEP. We start with the OAEP
encoding (i.e., the padding algorithm), called EME-OAEP.
EME-OAEP encoding
.
1. Set the optional label
L
and compute
lHash
:=
Hash
(
L
)
. The default value for
L
is the empty string.
2. Generate a byte string
PS
consisting of
k
2 zero bytes. Note
that the
mLen
specification above allows this length to be 0, in which case
PS
is
the empty string.
3. Form a data block
DB
of
k
−
mLen
−
2hLen
−
1 bytes (here and in what follows we denote
a single byte by two hexadecimal digits):
−
hLen
−
DB
:=
lHash
||
PS
||
01
||
M
.