Cryptography Reference
In-Depth Information
Example 8.13 We next generate a Rabin key suitable for use with Rabin-SAEP + .As
we have mentioned when discussing the integer factorization problem, the capability
to factor a 1024-bit modulus is not far over the horizon and a minimum modulus
size of 2048 bits is today regarded as necessary. This corresponds to a value of 256
for the security parameter k in the function RabinKeyGen and we will use 128-bit
seeds (which is the minimum acceptable length). Thus we obtain a Rabin key with
k
256 (so that the modulus will be a 2050-bit integer which is a product of two
1025-bit primes, and whose two most significant bits are '10') as follows:
> seed1 := "3d53d86af89150d1437856427eb8ed78":
seed2 := "d5d7c4472ae89a7b0b0f7580177236a6":
rk := RabinKeyGen(256, seed1, seed2):
We do not print the entire key as it takes too much space but we can, for example,
print the two primes in the private key:
> rk[2][1 .. 2];
=
["18fcfeb3d2ab10126bcc440d3771778a8feae7f147f94a82a41f0041d6510be5bd10d66ccf8cbe\
ff825358b9571bbc933f57f14156ecd02cbe615c621e1aa7604eb165bd668c5ce8f5f4a8c95f962f\
55ca025b67adf5393a44bd7b096ffc8020061098b8b8ccf64fa2d2f1d0644ed1134a1d2348fc63e7\
627252e53b1ee5a44af", "149bea19772ca84ca84aff83cc3f1b5af62ae010354299205c941bb5b\
09c43a3cc14d452aa95a31b911e276d7468fd670f9226a4e085c8a0a7ad7eed23ac66d7c80f6a4db\
a3015a402d97cbadf861d3e1e1bf3cefd210e4353a73498e75a6f89063151a808e87d794b78388e7\
5c64e8e0b526e5ffc6a177436bfec1a18f25f813"]
Exercise 8.25 Write a Maple procedure that checks whether a Rabin-SAEP + key
in the format provided by RabinKeyGen is valid. It should accept as input a key
and check that the prime factors are
and have the same size, that the
last two integers in the private key are the inverses of each of these primes modulo
the other and, finally, that the modulus is the product of the two primes and its two
most significant bits are '10'. If any of these conditions does not hold, the procedure
should return an informative error message, otherwise it should declare that the key
is valid. Use this procedure to check the key generated above as well as other keys
generated by RabinKeyGen , including keys generated without passing the seed
values to the function.
3
(
mod 4
)
We are now ready to give the SAEP + encoding and decoding functions. Here the
functions G , H , are required and we will implement them exactly as in RSAES-
OAEP, i.e., we will obtain them from the “mask generating function” MGF1 which,
in turn, was derived from SHA-256 in our implementation. We also have to set the
values of s 0 and s 1 (and that of l which follows from them and from the value of k ).
As we have seen in the preceding discussion on the security of the scheme, Boneh's
security proof assumes that l
2 and the reduction obtained makes it clear
that both s 0 and s 1 should be large enough so that the number of queries to the
decryption oracle in a CCA attack is small compared to 2 s 0 and 2 s 1 . Because of this
a minimum value of s 0 =
+
s 0
k
/
128 is suggested in [34] for a 1024-bit modulus.
For the reasons already mentioned we will normally use a minimum length of
2048 bits for the modulus, and hence a minimum value k
256 (recall that the
value of k represents the number of bytes in this implementation). We will also take
s 0
=
=
256 (i.e., a byte length of 32) as default value, which agrees with the output
Search WWH ::




Custom Search