In the OAEP padding/armoring scheme for RSA encryption, the seed used is masked (with the masked data block) in the end. Why is that necessary, since the seed is random anyway?
Asked
Active
Viewed 950 times
1 Answers
2
The point is that you will only be able to reconstruct the seed if you know every single bit of maskedSeed and maskedDB and you will be able to decode the message only if you know every single bit of the seed and maskedDB.
If an attacker gets only a single bit of maskedDB wrong, feeding it to the MGF will yield a totally different result and will not allow him to reconstruct the seed.
If only a single bit of maskedSeed is incorrect, the reconstructed seed will also contain a single incorrect bit and again, feeding it to the MGF will lead to a totally different value and it will not be possible to reconstruct the original message.
dhe25519
- 61
- 3