Cryptography Reference
In-Depth Information
if not StringTools:-IsHexDigit(seed) or StringTools:-Length(seed) <> hhLen then
error "the seed must be a 32-byte hex string"
end if;
s := seed
end if;
dbMask := MGF1(s, k-hLen-1);
maskedDB :=
bytestohexstring(BitXor
∼
(hexstringtobytes(DB), hexstringtobytes(dbMask)));
seedMask := MGF1(maskedDB, hLen);
maskedSeed :=
bytestohexstring(BitXor
∼
(hexstringtobytes(s), hexstringtobytes(seedMask)));
cat("00", maskedSeed, maskedDB)
end proc:
Remark 8.3
Before proceeding any further, it is convenient to point out that
EMEOAEPEnc
also works if no value is passed to the parameter
seed
.Inthis
case, the seed will be pseudo-randomly generated by the function itself. As on other
similar occasions, this possibility is included for demonstration purposes only and
we stress that the security reduction for RSA-OAEP does not apply to this variant,
see Exercise 8.19. In this case the seed—obtained by applying a PRG to a shorter
seed taken from the system clock—is far from random because on the one hand, the
PRG is deterministic and, on the other hand, the system clock seed is not random
either. However, if an externally generated random seed is supplied to the function,
then the security reduction given in [80] should apply.
Exercise 8.18
Write a variant of the function
EMEOAEPEnc
that uses the previous
function
BBSByteGen
to generate the seed from an initial seed provided by the sys-
tem. Explain the reasons why, despite the fact that
BBSByteGen
uses Blum-Blum-
Shub, this method is highly insecure. Discuss the security of the variant obtained by
generating the seed by means of the Blum-Blum-Shub PRG, itself seeded with a
truly random 256-bit seed.
Next we give the EME-OAEP decoding function, i.e., the inverse function of the
previous one. The input parameters are similar to those in
EMEOAEPEnc
, with the
encoded message
EM
replacing the message and without the parameter
seed
, since
the seed is not necessary for decoding. The output is the decoded message given as
a byte string.
> EMEOAEPDec := proc(EM::string, k::posint,
{L::string := "", H::name := 'SHA256', hLen := 32})
local lHash, Y, hhLen, maskedSeed, maskedDB, seedMask, seed, dbMask, DB, lHash2, dr;
lHash := H(L, hex);
Y := StringTools:-Take(EM, 2);
hhLen := 2*hLen;
maskedSeed := StringTools:-SubString(EM, 3 .. hhLen+2);
maskedDB := StringTools:-SubString(EM, hhLen+3 .. -1);
seedMask := MGF1(maskedDB, hLen);
seed := bytestohexstring(BitXor
∼
(hexstringtobytes(maskedSeed),
hexstringtobytes(seedMask)));
dbMask := MGF1(seed, k-hLen-1);
DB :=
bytestohexstring(BitXor
∼
(hexstringtobytes(maskedDB), hexstringtobytes(dbMask)));
lHash2 := StringTools:-Take(DB, hhLen);
dr := StringTools:-Drop(DB, hhLen);
