From: Kristian Gjøsteen (
Date: 08/22/05

Date: Mon, 22 Aug 2005 11:10:40 +0000 (UTC)

David Wagner <> wrote:
>Kristian Gjøsteen wrote:
>> <> wrote:
>>>Or could one simply just generate a long string of
>>>secure random bytes (with no added structure anywhere), just one byte
>>>shorter than the modulus, encrypt/decrypt this, with the session key
>>>being the last X bytes of that?
>>You should derive the key from the random bytes using a suitable
>>key derivation function (such as SHA-256), not just the last X
>>bytes. This correct usage goes under the name of RSA-KEM.
>One other difference: If I remember correctly, I believe RSA-KEM
>requires you to choose a random number that is uniform distributed on
>{0,1,2,..,N-1}, not a random sequence of bytes (which will be distributed
>on {0,1,..,2^k-1} for some k so that 2^k is a bit smaller than N).


>This probably doesn't matter if we're talking only about eavesdroppers,

Agreed, you lose a factor of 1/2 or something in the reduction.

>but the difference may be significant when it comes to resistance against
>side channels and chosen-ciphertext attacks.

Only if you refuse to decrypt the ciphertexts that you would not
yourself generate?

Kristian Gjøsteen