Cryptography Reference
In-Depth Information
=
/
−
=
length of SHA-256. This gives a suggested value of
l
k
2
s
0
which, for
k
256
=
produces
l
96 as the byte length of the messages to be encrypted but, in fact,
the maximum length of messages will be one byte less than this because to recover
them uniquely we will pad them with '00' bytes (possibly none) followed by a '01'
byte. On the other hand, since
s
1
=
k
−
l
−
s
0
and we have taken
l
+
s
0
=
k
/
2, we
see that
s
1
=
2. This is the length of the seed in bytes and is represented by the
local variable
sLen
in the function below, which does the SAEP
+
encoding. Thus,
in particular, for
k
k
/
256, a random 128-byte seed should be passed to this function
by the Rabin-SAEP
+
encryption function to be defined later.
The encodingwill be performed by the function
SAEPPlusEnc
below, where the
required input parameters are the message (given as a hexadecimal string), the secu-
rity parameter
k
, and
seed
,fora
k
=
2-byte random seed (given also as a hexadecimal
string). The seed will usually be supplied by the Rabin-SAEP
+
encryption function
but the function will also work if no seed is provided; in that case the seed will be
pseudo-randomly generated inside the function and, as on other similar occasions,
we warn that this method is not secure. The optional keyword parameters are
H
for
the name of the hash function used to build
MGF1
(with
'SHA256'
as default) and
the output byte length of this function (with 32 as default).
> SAEPPlusEnc := proc(message::string, k::posint, seed::string,
{H::name := 'SHA256', hLen := 32})
local mLen, sLen, l, pd, M, r, t, v, h, x;
mLen := iquo(StringTools:-Length(message), 2);
sLen := iquo(k, 2);
l := sLen-hLen;
if l <= mLen then
error "message too long"
end if;
pd := StringTools:-Repeat("00", l-mLen-1);
M := cat(pd, "01", message);
if _params['seed'] = NULL then
StringTools:-Randomize();
r := StringTools:-LowerCase(StringTools:-Random(k, xdigit))
else
if not StringTools:-IsHexDigit(seed) or StringTools:-Length(seed) <> k then
error "seed must be a %1-byte hex string", k/2
end if;
r := seed
end if;
t := MGF1(cat(M, r), hLen);
v := cat(M, t);
h := MGF1(r, sLen);
x := bytestohexstring(BitXor
∼
(hexstringtobytes(v), hexstringtobytes(h)));
cat(x, r)
end proc:
The SAEP
+
decoding function,
SAEPPlusDec
, is given next. The input para-
meters are the same as those of the encoding function, except for the seed which is no
longer necessary. The function merely reverses the steps in the encoding function and
only one important peculiarity is worth mentioning. As we have already remarked,
one should be very careful with the error messages produced by the Rabin-SAEP
+
decryption function. For this reason,
SAEPPlusDec
does not return an error mes-
sage if an invalid ciphertext is detected and what it does is to return the
NULL
sequence instead. This will allow the Rabin-SAEP
+
decryption function to output
an error message only at the end in case of failure.
/
