Diagram of OAEP
In the diagram,
- n is the number of bits in the RSA modulus.
- k0 and k1 are integers fixed by the protocol.
- m is the plaintext message, an (n − k0 − k1 )-bit string
- G and H are typically some cryptographic hash functions fixed by the protocol.
To encode,
- messages are padded with k1 zeros to be n − k0 bits in length.
- r is a random k0-bit string
- G expands the k0 bits of r to n − k0 bits.
- X = m00..0 ⊕ G(r)
- H reduces the n − k0 bits of X to k0 bits.
- Y = r ⊕ H(X)
- The output is X || Y where X is shown in the diagram as the leftmost block and Y as the rightmost block.
To decode,
- recover the random string as r = Y ⊕ H(X)
- recover the message as m00..0 = X ⊕ G(r)
The "all-or-nothing" security is from the fact that to recover m, you must recover the entire X and the entire Y; X is required to recover r from Y, and r is required to recover m from X. Since any changed bit of a cryptographic hash completely changes the result, the entire X, and the entire Y must both be completely recovered.
Read more about this topic: Optimal Asymmetric Encryption Padding
Famous quotes containing the word diagram:
“If a fish is the movement of water embodied, given shape, then cat is a diagram and pattern of subtle air.”
—Doris Lessing (b. 1919)
Related Phrases
Related Words