Cryptography Reference
In-Depth Information
8.3.7 RSAES-OAEP in Maple
Next we give a Maple implementation of RSAES-OAEP. A basic component of
such an implementation is a hash function which, according to the recommendation
in [154] should be either SHA-1 or SHA-256/384/512. Since SHA-1 is no longer
regarded as secure, we choose SHA-256 for our implementation and hence we will
such as those in Appendix A.
We start with two data conversion primitives that, although not explicitly men-
tioned in the preceding description of the scheme, are used for conversion between
two common message formats: byte strings (also called octet strings) and integers.
The byte strings will be represented by even-length strings of hexadecimal digits,
so that their byte length will be just one-half of their hexadecimal length (following
earlier conventions we shall use lower-case letters for hexadecimal digits). We use
the same notation as in [154] and the first of these functions is I2OSP ('Integer to
Octet String Primitive'), which converts a non-negative integer
x
to a byte string of
specified length
xLen
. This is the 'octet length' of the string we want to obtain (not
the hexadecimal length) and hence it must be as a minimum equal to
1.
Although this is not necessary for the implementation of RSA-OAEP that follows,
the function uses this value as default for
xLen
, and the value is obtained through the
function
intlog
that we have used in the implementation of plain RSA.
> I2OSP := proc(x::nonnegint, xLen::posint := intlog[256](x)+1)
local l, s;
if 256ˆxLen <= x then
error "integer too large"
else
l := bytestohexstring(ListTools:-Reverse(convert(x, base, 256)));
s := StringTools:-Repeat("00", xLen-iquo(StringTools:-Length(l), 2))
end if;
cat(s, l)
end proc:
The next function
OS2IP
('Octet String to Integer Primitive') inverts
I2OSP
,
converting an even-length hex string (an 'octet string') to a non-negative integer:
> OS2IP := proc(X::string)
convert(X, decimal, hex)
end proc:
Next we give the 'mask generating function'. Following the recommendation in
[154], we will use the function
MGF1
derived from the hash function (SHA-256 in
our case) in the way explained above. The required inputs are, with the notation used
in [154], a byte string
mgfSeed
and a positive integer
maskLen
that represents the
intended length of the byte string
mask
it produces as output. In addition, there are
two additional keyword parameters which are used to specify the underlying hash
function and the byte length of its output. The default values are
SHA256
and 32
(since SHA-256 produces a 32-byte string as output). The output is a hex string of
byte length
maskLen
.
log
256
x
+
