Paper 2002/115

Universal Padding Schemes for RSA

Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier

Abstract

A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.

Metadata
Available format(s)
PS
Category
Public-key cryptography
Publication info
Published elsewhere. Paper published at Crypto 2002
Keywords
Provable SecurityPSS
Contact author(s)
coron @ clipper ens fr
History
2002-08-12: received
Short URL
https://ia.cr/2002/115
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/115,
      author = {Jean-Sébastien Coron and Marc Joye and David Naccache and Pascal Paillier},
      title = {Universal Padding Schemes for {RSA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2002/115},
      year = {2002},
      url = {https://eprint.iacr.org/2002/115}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.