Re: OAEP
From: Kristian Gjøsteen (kristiag+news_at_item.ntnu.no)
Date: 08/22/05
- Next message: tomstdenis_at_gmail.com: "New Rabin-type PK system"
- Previous message: Richard Herring: "Re: md5 collisions and speeding tickets"
- In reply to: David Wagner: "Re: OAEP"
- Next in thread: David Wagner: "Re: OAEP"
- Reply: David Wagner: "Re: OAEP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Aug 2005 11:10:40 +0000 (UTC)
David Wagner <daw-usenet@taverner.cs.berkeley.edu> wrote:
>Kristian Gjøsteen wrote:
>> <mike4ty4@yahoo.com> wrote:
>>>Or could one simply just generate a long string of
>>>secure random bytes (with no added structure anywhere), just one byte
>>>shorter than the modulus, encrypt/decrypt this, with the session key
>>>being the last X bytes of that?
>>
>>You should derive the key from the random bytes using a suitable
>>key derivation function (such as SHA-256), not just the last X
>>bytes. This correct usage goes under the name of RSA-KEM.
>
>One other difference: If I remember correctly, I believe RSA-KEM
>requires you to choose a random number that is uniform distributed on
>{0,1,2,..,N-1}, not a random sequence of bytes (which will be distributed
>on {0,1,..,2^k-1} for some k so that 2^k is a bit smaller than N).
Yes.
>This probably doesn't matter if we're talking only about eavesdroppers,
Agreed, you lose a factor of 1/2 or something in the reduction.
>but the difference may be significant when it comes to resistance against
>side channels and chosen-ciphertext attacks.
Only if you refuse to decrypt the ciphertexts that you would not
yourself generate?
-- Kristian Gjøsteen
- Next message: tomstdenis_at_gmail.com: "New Rabin-type PK system"
- Previous message: Richard Herring: "Re: md5 collisions and speeding tickets"
- In reply to: David Wagner: "Re: OAEP"
- Next in thread: David Wagner: "Re: OAEP"
- Reply: David Wagner: "Re: OAEP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
