Questions tagged [oaep]

Optimal Asymmetric Encryption Padding is a padding scheme for RSA, codifying how short plaintext is enciphered and deciphered. It has a security reduction to the RSA problem.

Optimal Asymmetric Encryption Padding is standardized under the name RSAES-OAEP in PKCS#1 v2.2 and RFC 2437.

The reference paper is: M. Bellare and P. Rogaway, Optimal asymmetric encryption (subtitled How to encrypt with RSA on the first author's webpage), in proceedings of EuroCrypt 1994.

69 questions

votes

1 answer

What is the maximum size of the plaintext message for RSA OAEP?

OAEP is an important technique used to strengthen RSA. However, using OAEP (or any technique that adds randomness) reduces the size of plaintexts that can be encrypted. Assume for instance that OAEP is using a 160-bit seed and a hash function that…

asked Dec 06 '16 at 05:19

Sarkar

votes

3 answers

Is RSA-OAEP deprecated?

I need asymmetric pub/private keypair encryption in JavaScript. Web browsers support RSA-OAEP, which works exactly as I need. But there is a table which lists supported algorithms for web crypto at https://diafygi.github.io/webcrypto-examples/ ...…

rsa oaep

asked Sep 18 '17 at 19:43

Tomas M

votes

0 answers

RSA key such that pi deciphers to your name per RSA-OAEP

Can you efficiently construct an RSA public/private key pair with $8k$-bit public modulus such that $C=\left\lfloor\pi\,2^{8k-2}\right\rfloor$ deciphers per RSA-OAEP to your name as a bytestring in ASCII or UTF-8? The decryption must be per…

rsa oaep

asked Apr 23 '20 at 11:22

fgrieu

149,326
13
324
622

votes

1 answer

Why did OAEP change from PKCS#1 v2.0 and v2.1?

In PKCS#1 v2.1 the OAEP output is prepending with a null byte. Quoting RFC 3447, i. Concatenate a single octet with hexadecimal value 0x00, maskedSeed, and maskedDB to form an encoded message EM of length k octets as EM = 0x00…

rsa oaep pkcs1

asked Sep 16 '16 at 16:23

neubert

2,969
1
29
58

votes

2 answers

Is Bouncycastle RSA+OAEP implementation vulnerable to Manger’s attack?

I have written a code to encrypt a plaintext as below. Here I am using bouncycastle crypto provider and referring to the RSA+OAEP for that. public static void main(String [] args) throws Exception { Security.insertProviderAt(new…

encryption rsa chosen-ciphertext-attack oaep

asked Jul 27 '18 at 02:56

NShani

votes

2 answers

Why not use OAEP for signatures?

There seems to be a distinct lack of implementations of RSA signatures using OAEP to pad the digest. Other than the old, funky, padding schemes, it's PSS all the way. PSS seems to have the whiff of patents about it. OAEP, on the other hand, is…

rsa padding oaep

asked Sep 23 '15 at 22:41

Dan

votes

1 answer

RSA-OAEP Input Parameters

When creating padding for RSA using OAEP, a message is prepared as follows: Hash(Input Parameter) || Zeros || 1 || Message My question is, what should the Input Parameter be? It must be known to both sides, I understand it can be an empty array…

rsa padding oaep

asked Mar 11 '12 at 16:42

Nenad Vukicevic

votes

1 answer

Why is the seed masked in OAEP

In the OAEP padding/armoring scheme for RSA encryption, the seed used is masked (with the masked data block) in the end. Why is that necessary, since the seed is random anyway?

rsa padding oaep pkcs1

asked Apr 25 '17 at 16:42

mat

2,558
1
14
28

votes

1 answer

In PKCS#1 V2.2, should MGF be based on the same hash function that RSA-OAEP-ENCRYPT uses?

In Section 7.1.1 of PKCS#1 v2.2 there are two options for RSAES-OAEP-Encrypt given: Hash MGF Appendix B.2.1 of the same document states that MGF1 is based on a hash function. Is MGF1 based on the same hash function that is chosen as an option for…

hash rsa padding oaep

asked Jul 13 '16 at 22:48

Andrew Savinykh

votes

1 answer

What is the reason for length differences in RSA?

In NIST FIPS 186-4, "digital signature algorithm", the minimal length allowed is 1024 bit (page 22). On the contrary, in NIST SP800-56B, page 63, RSA-OAEP encryption, the minimal length is 2048. Why 1024 is secure enough for digital signature but…

rsa signature oaep

asked Jun 18 '18 at 19:49

Evgeni Vaknin

1,155
8
20

votes

1 answer

What's the point of OAEP?

I can't seem to wrap my head around what benefit OAEP provides (specifically with RSA). Lets consider really small numbers for a moment. If the random source in the padding algorithm gave a random value in the range of 1-100, then each unique…

rsa oaep

asked May 07 '18 at 10:39

Jack Hoffman

votes

2 answers

Why is padding the plaintext with a random string before encryption worse than OAEP / PKCS#7?

I'm reading about OAEP / PKCS padding used for PGP to turn deterministic algorithms like RSA from deterministic encryption to probabilistic encryption (randomness in the resulting output). That way the same input encrypted with RSA should produce a…

rsa pgp deterministic-encryption oaep

asked May 24 '16 at 15:38

Xeoncross

votes

1 answer

RSA-OAEP: How does it work?

I was looking at this image about OAEP: ..and was wondering what was happening here. We have a data block DB which consists of: lHash: What is this and where does this come from? PS: A string of zeros, but how much zeros? M: clearly our…

rsa oaep

asked Jan 28 '16 at 14:40

今天春天

votes

1 answer

What are the uses of arbitrary length output hashes (other than OAEP)?

Functions such as SHA-3 from the Keccak family allow for a hash of arbitrary length output. These functions are (according to Wikipedia) useful for practical, lightweight applications. I know that SHAKE-128 and SHAKE-256 can be applied for OAEP. My…

hash keccak oaep

asked Mar 01 '19 at 14:02

AleksanderCH

6,511
10
31
64

votes

1 answer

Secure ElGamal with OAEP

Is it possible to make ElGamal IND-CCA2 using OAEP or OAEP+? (OAEP+ from: "OAEP Reconsiderd" by Shoup) The reason I ask is that I recently answered this question and it came to my mind that OAEP or OAEP+ might be possible solutions. Note this isn't…

elgamal-encryption chosen-ciphertext-attack oaep

asked Apr 12 '15 at 18:26

SEJPM

46,697
9
103
214

2 3 4 5 Next