Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Optimal asymmetric encryption padding
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Algorithm== [[File:OAEP encoding schema.svg|410x410px|thumb|right|OAEP encoding schema according to RFC 8017]] In the diagram, * ''MGF'' is the [[Mask generation function|mask generating function]], usually MGF1, * ''Hash'' is the chosen [[Cryptographic hash function|hash function]], * ''hLen'' is the length of the output of the hash function in bytes, * ''k'' is the length of the [[RSA (cryptosystem)|RSA]] modulus ''n'' in bytes, * ''M'' is the message to be padded, with length ''mLen'' (at most <math>\mathrm{mLen}= k - 2 \cdot \mathrm{hLen} - 2</math> bytes), * ''L'' is an optional label to be associated with the message (the label is the empty string by default and can be used to authenticate data without requiring encryption), * ''PS'' is a byte string of <math>k - \mathrm{mLen} - 2 \cdot \mathrm{hLen} - 2</math> null-bytes. * β is an [[Exclusive or|XOR]]-Operation. === Encoding === <nowiki>RFC 8017</nowiki><ref>{{cite IETF|title=PKCS #1: RSA Cryptography Specifications Version 2.2|rfc=8017|sectionname=Encryption Operation|section=7.1.1|page=22|last=|first=|author-link=|date=November 2016|publisher=[[Internet Engineering Task Force|IETF]]|access-date=2022-06-04|doi=10.17487/RFC8017}}</ref> for PKCS#1 v2.2 specifies the OAEP scheme as follows for encoding: # Hash the label ''L'' using the chosen hash function: <math>\mathrm{lHash} = \mathrm{Hash}(L)</math> # Generate a padding string ''PS'' consisting of <math>k - \mathrm{mLen} - 2 \cdot \mathrm{hLen} - 2</math> bytes with the value 0x00. # Concatenate ''lHash'', ''PS'', the single byte 0x01, and the message ''M'' to form a data block ''DB'': <math>\mathrm{DB} = \mathrm{lHash} || \mathrm{PS} || \mathrm{0x01} || \mathrm{M}</math>. This data block has length <math>k - \mathrm{hLen} - 1</math> bytes. # Generate a random seed of length ''hLen''. # Use the mask generating function to generate a mask of the appropriate length for the data block: <math>\mathrm{dbMask} = \mathrm{MGF}(\mathrm{seed}, k - \mathrm{hLen} - 1)</math> # Mask the data block with the generated mask: <math>\mathrm{maskedDB} = \mathrm{DB} \oplus \mathrm{dbMask}</math> # Use the mask generating function to generate a mask of length ''hLen'' for the seed: <math>\mathrm{seedMask} = \mathrm{MGF}(\mathrm{maskedDB}, \mathrm{hLen})</math> # Mask the seed with the generated mask: <math>\mathrm{maskedSeed} = \mathrm{seed} \oplus \mathrm{seedMask}</math> # The encoded (padded) message is the byte 0x00 concatenated with the ''maskedSeed'' and ''maskedDB'': <math>\mathrm{EM} = \mathrm{0x00} || \mathrm{maskedSeed} || \mathrm{maskedDB}</math> === Decoding === Decoding works by reversing the steps taken in the encoding algorithm: # Hash the label ''L'' using the chosen hash function: <math>\mathrm{lHash} = \mathrm{Hash}(L)</math> # To reverse step 9, split the encoded message ''EM'' into the byte 0x00, the ''maskedSeed'' (with length ''hLen'') and the ''maskedDB'': <math>\mathrm{EM} = \mathrm{0x00} || \mathrm{maskedSeed} || \mathrm{maskedDB}</math> # Generate the ''seedMask'' which was used to mask the ''seed'': <math>\mathrm{seedMask} = \mathrm{MGF}(\mathrm{maskedDB}, \mathrm{hLen})</math> # To reverse step 8, recover the ''seed'' with the ''seedMask'': <math>\mathrm{seed} = \mathrm{maskedSeed} \oplus \mathrm{seedMask}</math> # Generate the ''dbMask'' which was used to mask the data block: <math>\mathrm{dbMask} = \mathrm{MGF}(\mathrm{seed}, k - \mathrm{hLen} - 1)</math> # To reverse step 6, recover the data block ''DB:'' <math>\mathrm{DB} = \mathrm{maskedDB} \oplus \mathrm{dbMask}</math> # To reverse step 3, split the data block into its parts: <math>\mathrm{DB} = \mathrm{lHash'} || \mathrm{PS} || \mathrm{0x01} || \mathrm{M}</math>. ## Verify that: ##* ''lHash''' is equal to the computed ''lHash'' ##* ''PS'' only consists of bytes 0x00 ##* ''PS'' and ''M'' are separated by the 0x01 byte and ##* the first byte of ''EM'' is the byte 0x00. ## If any of these conditions aren't met, then the padding is invalid. Usage in RSA: The encoded message can then be encrypted with RSA. The deterministic property of RSA is now avoided by using the OAEP encoding because the ''seed'' is randomly generated and influences the entire encoded message. ===Security=== The "[[All-or-nothing transform|all-or-nothing]]" security is from the fact that to recover ''M'', one must recover the entire ''maskedDB'' and the entire ''maskedSeed''; ''maskedDB'' is required to recover the ''seed'' from the ''maskedSeed'', and the ''seed'' is required to recover the data block ''DB'' from ''maskedDB''. Since any changed bit of a cryptographic hash completely changes the result, the entire ''maskedDB'', and the entire ''maskedSeed'' must both be completely recovered. ===Implementation=== In the PKCS#1 standard, the random oracles are identical. The PKCS#1 standard further requires that the random oracles be [[MGF1]] with an appropriate hash function.<ref>{{Cite journal|url=https://eprint.iacr.org/2006/223.pdf| title=What Hashes Make RSA-OAEP Secure?|journal = IACR Cryptology ePrint Archive| last=Brown |first=Daniel R. L.| date=2006| language=en|access-date=2019-04-03}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)