Universal Padding Schemes for RSA

  • Jean-Sébastien Coron
  • Marc Joye
  • David Naccache
  • Pascal Paillier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosenciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.


Probabilistic Signature Scheme Provable Security 


  1. 1.
    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Proceedings of Eurocrypt’94, LNCS vol. 950, Springer-Verlag, 1994, pp. 92–111.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway, The exact security of digital signatures — How to sign with RSA and Rabin. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, 1996, pp. 399–416.Google Scholar
  4. 4.
    D. Boneh, Simplified OAEP for the RSA and Rabin functions, Prooceedings of Crypto 2001, LNCS vol 2139, pp. 275–291, 2001.Google Scholar
  5. 5.
    D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. Proceedings of Crypto’ 96, pp. 129–142, 1996.Google Scholar
  6. 6.
    R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, STOC’ 98, ACM, 1998.Google Scholar
  7. 7.
    D. Coppersmith, Finding a small root of a univariate modular equation, in Eurocrypt’96, LNCS 1070.Google Scholar
  8. 8.
    J.S. Coron, M. Joye, D. Naccache and P. Paillier, Universal padding schemes for RSA. Full version of this paper. Cryptology ePrint Archive,
  9. 9.
    E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern, RSA-OAEP is secure under the RSA assumption, Proceedings of Crypto’ 2001, LNCS vol. 2139, Springer-Verlag, 2001, pp. 260–274.Google Scholar
  10. 10.
    S. Goldwasser, S. Micali and R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal of computing, 17(2), pp. 281–308, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    S. Haber and B. Pinkas, Combining Public Key Cryptosystems, Proceedings of the ACM Computer and Security Conference, November 2001.Google Scholar
  12. 12.
    IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques, available at
  13. 13.
    J. Manger, A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. Proceedings of Crypto 2001, LNCS 2139, pp. 230–238, 2001.Google Scholar
  14. 14.
    PKCS #1 v2.1, RSA Cryptography Standard (draft), available at /rsalabs/pkcs.
  15. 15.
    C. Racko. and D. Simon, Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. Advances in Cryptology, Crypto’ 91, pages 433–444, 1991.Google Scholar
  16. 16.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.Google Scholar
  17. 17.
    V. Shoup, OAEP reconsidered, Proceedings of Crypto 2001, LNCS vol. 2139, pp 239–259, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Marc Joye
    • 1
  • David Naccache
    • 1
  • Pascal Paillier
    • 1
  1. 1.Gemplus Card InternationalFrance

Personalised recommendations