Cryptography Reference
In-Depth Information
while StringTools:-IsPrefix("00", dr) do
dr := StringTools:-Drop(dr, 2)
end do;
if lHash2 <> lHash or Y <> "00" or StringTools:-Take(dr, 2) <> "01" then
error "decryption error"
else
StringTools:-Drop(dr, 2)
end if
end proc:
Remark 8.4
Observe that, following a recommendation in [154], motivated by a
chosen ciphertext attack of Manger [133] against the version included in PKCS#1
v2
0, in case of decoding error—which may be due to various causes—the function
only returns the message “decryption error” at the end of the computation (this
function is called by the RSAES-OAEP decryption function given below, hence the
term “decryption” in the message). This is to prevent an attacker from distinguishing
rejections at the various steps using, for example, timing analysis.
.
Example 8.9
Suppose that we take
k
256, which is the value that corresponds to a
2048-bit RSA modulus. Then the maximum message length in bytes is, according to
[154], equal to
k
=
190, assuming that a hash function
with an output length of 256 bits (32 bytes) such as SHA-256 is being used (we
have not enforced this limitation in
EMEOAEPEnc
because it will be enforced in the
higher level RSAES-OAEP encryption function). First we generate a message of this
length, which corresponds to a message of exactly twice this length in hexadecimal,
i.e., 380:
> with(StringTools);
Randomize();
M := LowerCase(Random(380, xdigit));
−
2
hL en
−
2
=
256
−
64
−
2
=
"8c8e4b15af772c1af9b0e8f2afd6c71bd5ff62aeaa06f3dc90afb05ec41db47c8889e7f18eae6b6e1\
dff16060cab1fbeeff29ffc6db7f83ebfeba209292a9cffcccce5474d8c3d2a0534ddbcdaa7b2b81\
e4cadc2ab4562dbafd8de23ebfafd4adcc1ec7d1ccc7f8e0d9cdb5ed866a0bd2a03d2ca25ed010be\
19f9fe6ffd16b9b3f54056d2cec20aad3af6b735a9afcc250320cbfbbdf745faf8a2e79c1f2ad931\
bcab215bd9fdcc9f08eec8a7712bbf8a76ebaafbecc6febb9c89d6986ce"
Next, we encode this message using
k
256, the seed
r
we generated in Example
8.8, and default values for the remaining parameters:
> EM := EMEOAEPEnc(M, 256, r);
=
"00cab3be8d020c088b1142f325585e04ae649d3d36e617b46c90a7683f959a93697a19d40142f1c6a\
f588479bb925f5b72834bfd25f1bd84de71d8d8ee484c304c7f5bd7c961703dfd3285775d4788c62\
e099ecaf8e61763844343e09a8efe269238d5b2d4079390264bdc128ca32302a68df9a623c9dbb21\
f6356970ee4ece33e08d0552803793a41fa1dc3230294365d9403de1e95a6695d1303aee3b860f5f\
ab829f27959b89959955a59bd84fa9f645d1085362e43e39f0da64bf3b7b3aca77da18161088c250\
a99ea8af9744b10356470c593c7a243cecc72a3860b492321928db3e065c34588d61bafac6dfcfa9\
06744c3924f469febd1f463f277ed54"
Next, we decode the encoded message
EM
to recover
M
; to save space we do not
print
M
again but we check that
M
is recovered:
> evalb(EMEOAEPDec(EM, 256) = M);
true
We are now ready to give the RSAES-OAEP encryption and decryption func-
tions. The encryption function
RSAESOAEPEncrypt
is given next. In addition to
