Cryptography Reference
In-Depth Information
4. Generate a random byte string
seed
of length
hLen
.
5. Compute
dbMask
:=
(
,
−
−
)
MGF
seed
k
hLen
1
.
6. Compute
maskedDB
:=
DB
⊕
dbMask
.
7. Compute
seedMask
:=
MGF
(
maskedDB
,
hLen
)
.
8. Compute
maskedSeed
seedMask
.
9. Output the
k
-byte encoded message
EM
obtained as:
:=
seed
⊕
EM
:=
00
||
maskedSeed
||
maskedDB
.
Once the message is encoded by means of EME-OAEP, it can be encrypted with
the RSA public key:
RSA encryption
.
The encryption algorithm proceeds by converting
EM
to an element
m
∈ Z
n
in the natural way, then encrypting
m
by means of the RSA function, obtaining
c
m
e
mod
n
and, finally, converting
c
to a byte string
C
of length
k
, which is the
output of RSAES-OAEP encryption.
Decryption begins by recovering the encoded message
EM
from the ciphertext:
RSA decryption
.
The ciphertext
C
is first converted to an integer
c
:=
∈ Z
n
in the standard way, then
c
d
mod
n
and the integer
m
the RSA decryption primitive is applied to obtain
m
:=
is converted to an encoded message of
k
bytes,
EM
.
Finally, decryption is completed by using EME-OAEP decoding to recover the
message
M
from the encoded message
EM
:
EME-OAEP decoding
.
1. Set the optional label
L
and compute
lHash
:=
Hash
(
L
)
. The default value for
L
is the empty string.
2. Separate the encoded message
EM
into three byte strings of length 1,
hLen
, and
k
-
hLen
-1, respectively, obtaining:
EM
:=
Y
||
maskedSeed
||
maskedDB
.
3. Compute
seedMask
:=
MGF
(
maskedDB
,
hLen
)
.
4. Compute
seed
:=
maskedSeed
⊕
seedMask
.
5. Compute
dbMask
:=
MGF
(
seed
,
k
−
hLen
−
1
)
.
6. Compute
DB
dbMask
.
7. Separate
DB
into a byte string
lHash
of length
hLen
, a padding string
PS
con-
sisting of '00' bytes (which may be empty), and a message
M
, obtaining:
:=
maskedDB
⊕
lHash
||
DB
:=
PS
||
01
||
M
.
8. If there is no '01' byte to separate
PS
from
M
,if
lHash
is not equal to
lHash
,or
if
Y
is nonzero, then output 'decryption error' else output the message
M
.