Universal Padding Schemes for RSA
نویسندگان
چکیده
A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosenciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.
منابع مشابه
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
We show how to construct a practical secure signature padding scheme for arbitrarily long messages from a secure signature padding scheme for fixed-length messages. This new construction is based on a one-way compression function respecting the division intractability assumption. By practical, we mean that our scheme can be instantiated using dedicated compression functions and without chaining...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size...
متن کاملParallel Signcryption with OAEP, PSS-R, and other Feistel Paddings
We present a new, elegant composition method for joint signature and encryption, also referred to assigncryption. The new method, which we call Padding-based Parallel Signcryption (PbPS), builds an effi-cient signcryption scheme from any family of trapdoor permutations, such as RSA. Each user U generates asingle public/secret key pair fU/f −1Uused for both sending and receiv...
متن کاملPadding attacks on RSA
This paper presents a non-technical overview of the the recent attacks against RSA encryption and signature standards. It is intended as both a system design aid and a temporary reference text beginning at a level suitable for engineers, risk managers and system architects with no or little previous exposure to padding attacks. We have used a straightforward approach to the essential consequenc...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2002 شماره
صفحات -
تاریخ انتشار 2002