Universal Padding Schemes for RSA
A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosenciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.
KeywordsProbabilistic Signature Scheme Provable Security
- 1.M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.Google Scholar
- 2.M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Proceedings of Eurocrypt’94, LNCS vol. 950, Springer-Verlag, 1994, pp. 92–111.Google Scholar
- 3.M. Bellare and P. Rogaway, The exact security of digital signatures — How to sign with RSA and Rabin. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, 1996, pp. 399–416.Google Scholar
- 4.D. Boneh, Simplified OAEP for the RSA and Rabin functions, Prooceedings of Crypto 2001, LNCS vol 2139, pp. 275–291, 2001.Google Scholar
- 5.D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. Proceedings of Crypto’ 96, pp. 129–142, 1996.Google Scholar
- 6.R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, STOC’ 98, ACM, 1998.Google Scholar
- 7.D. Coppersmith, Finding a small root of a univariate modular equation, in Eurocrypt’96, LNCS 1070.Google Scholar
- 8.J.S. Coron, M. Joye, D. Naccache and P. Paillier, Universal padding schemes for RSA. Full version of this paper. Cryptology ePrint Archive, http://www.eprint.iacr.org.
- 9.E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern, RSA-OAEP is secure under the RSA assumption, Proceedings of Crypto’ 2001, LNCS vol. 2139, Springer-Verlag, 2001, pp. 260–274.Google Scholar
- 11.S. Haber and B. Pinkas, Combining Public Key Cryptosystems, Proceedings of the ACM Computer and Security Conference, November 2001.Google Scholar
- 12.IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques, available at http://www.manta.ieee.org/groups/1363
- 13.J. Manger, A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. Proceedings of Crypto 2001, LNCS 2139, pp. 230–238, 2001.Google Scholar
- 14.PKCS #1 v2.1, RSA Cryptography Standard (draft), available at http://www.rsasecurity.com /rsalabs/pkcs.
- 15.C. Racko. and D. Simon, Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. Advances in Cryptology, Crypto’ 91, pages 433–444, 1991.Google Scholar
- 16.R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.Google Scholar
- 17.V. Shoup, OAEP reconsidered, Proceedings of Crypto 2001, LNCS vol. 2139, pp 239–259, 2001.Google Scholar