Content deleted Content added
Brynosaurus (talk | contribs) m padding algorithms category |
→Algorithm: Adding how OAEP is used in RSA |
||
Line 32:
# ''r'' is a randomly generated ''k''<sub>0</sub>-bit string
# ''G'' expands the ''k''<sub>0</sub> bits of ''r'' to ''n'' − ''k''<sub>0</sub> bits.
# ''X'' = ''m''00...0 ⊕ ''G''(''r'')
# ''H'' reduces the ''n'' − ''k''<sub>0</sub> bits of ''X'' to ''k''<sub>0</sub> bits.
# ''Y'' = ''r'' ⊕ ''H''(''X'')
Line 39:
To decode,
# recover the random string as ''r'' = ''Y'' ⊕ ''H''(''X'')
# recover the message as ''m''00...0 = ''X'' ⊕ ''G''(''r'')
Usage in RSA:
The encoded message can then be encrypted with RSA. The deterministic property of RSA is now avoided by using the OAEP encoding
===Security===
The "[[All-or-nothing transform|all-or-nothing]]" security is from the fact that to recover ''m'', one must recover the entire ''X'' and the entire ''Y''; ''X'' is required to recover ''r'' from ''Y'', and ''r'' is required to recover ''m'' from ''X''. Since any changed bit of a cryptographic hash completely changes the result, the entire ''X'', and the entire ''Y'' must both be completely recovered.
| |||