Re: OAEP

From: Kristian Gjøsteen (kristiag+news_at_item.ntnu.no)
Date: 08/22/05


Date: Mon, 22 Aug 2005 11:10:40 +0000 (UTC)

David Wagner <daw-usenet@taverner.cs.berkeley.edu> wrote:
>Kristian Gjøsteen wrote:
>> <mike4ty4@yahoo.com> wrote:
>>>Or could one simply just generate a long string of
>>>secure random bytes (with no added structure anywhere), just one byte
>>>shorter than the modulus, encrypt/decrypt this, with the session key
>>>being the last X bytes of that?
>>
>>You should derive the key from the random bytes using a suitable
>>key derivation function (such as SHA-256), not just the last X
>>bytes. This correct usage goes under the name of RSA-KEM.
>
>One other difference: If I remember correctly, I believe RSA-KEM
>requires you to choose a random number that is uniform distributed on
>{0,1,2,..,N-1}, not a random sequence of bytes (which will be distributed
>on {0,1,..,2^k-1} for some k so that 2^k is a bit smaller than N).

Yes.

>This probably doesn't matter if we're talking only about eavesdroppers,

Agreed, you lose a factor of 1/2 or something in the reduction.

>but the difference may be significant when it comes to resistance against
>side channels and chosen-ciphertext attacks.

Only if you refuse to decrypt the ciphertexts that you would not
yourself generate?

-- 
Kristian Gjøsteen


Relevant Pages

  • Re: Hardness of DDH with short exponents
    ... David Wagner wrote: ... > Kristian Gjøsteen wrote: ... > I think this is what is needed for semantic security (IND-CPA) if ...
    (sci.crypt)
  • Re: a problem combined with DLP and CDH
    ... David Wagner wrote: ... >Kristian Gjøsteen wrote: ... >>If you are willing to assume DDH for your group (DDH doesn't hold for ... Decision problems are very powerful. ...
    (sci.crypt)