tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 8017

Informational
Pages: 78
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: ~sec-pkcs

PKCS #1: RSA Cryptography Specifications Version 2.2

Part 1 of 4, p. 1 to 18
None       Next Section

Obsoletes:    3447


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                  K. Moriarty, Ed.
Request for Comments: 8017                               EMC Corporation
Obsoletes: 3447                                               B. Kaliski
Category: Informational                                         Verisign
ISSN: 2070-1721                                               J. Jonsson
                                                               Subset AB
                                                                A. Rusch
                                                                     RSA
                                                           November 2016


          PKCS #1: RSA Cryptography Specifications Version 2.2

Abstract

   This document provides recommendations for the implementation of
   public-key cryptography based on the RSA algorithm, covering
   cryptographic primitives, encryption schemes, signature schemes with
   appendix, and ASN.1 syntax for representing keys and for identifying
   the schemes.

   This document represents a republication of PKCS #1 v2.2 from RSA
   Laboratories' Public-Key Cryptography Standards (PKCS) series.  By
   publishing this RFC, change control is transferred to the IETF.

   This document also obsoletes RFC 3447.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8017.

[Page 2] 
Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Top       Page 3 
Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   5
   2.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   3.  Key Types . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.1.  RSA Public Key  . . . . . . . . . . . . . . . . . . . . .   8
     3.2.  RSA Private Key . . . . . . . . . . . . . . . . . . . . .   9
   4.  Data Conversion Primitives  . . . . . . . . . . . . . . . . .  11
     4.1.  I2OSP . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     4.2.  OS2IP . . . . . . . . . . . . . . . . . . . . . . . . . .  12
   5.  Cryptographic Primitives  . . . . . . . . . . . . . . . . . .  12
     5.1.  Encryption and Decryption Primitives  . . . . . . . . . .  12
       5.1.1.  RSAEP . . . . . . . . . . . . . . . . . . . . . . . .  13
       5.1.2.  RSADP . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.2.  Signature and Verification Primitives . . . . . . . . . .  15
       5.2.1.  RSASP1  . . . . . . . . . . . . . . . . . . . . . . .  15
       5.2.2.  RSAVP1  . . . . . . . . . . . . . . . . . . . . . . .  16
   6.  Overview of Schemes . . . . . . . . . . . . . . . . . . . . .  17
   7.  Encryption Schemes  . . . . . . . . . . . . . . . . . . . . .  18
     7.1.  RSAES-OAEP  . . . . . . . . . . . . . . . . . . . . . . .  19
       7.1.1.  Encryption Operation  . . . . . . . . . . . . . . . .  22
       7.1.2.  Decryption Operation  . . . . . . . . . . . . . . . .  25
     7.2.  RSAES-PKCS1-v1_5  . . . . . . . . . . . . . . . . . . . .  27
       7.2.1.  Encryption Operation  . . . . . . . . . . . . . . . .  28
       7.2.2.  Decryption Operation  . . . . . . . . . . . . . . . .  29
   8.  Signature Scheme with Appendix  . . . . . . . . . . . . . . .  31
     8.1.  RSASSA-PSS  . . . . . . . . . . . . . . . . . . . . . . .  32
       8.1.1.  Signature Generation Operation  . . . . . . . . . . .  33
       8.1.2.  Signature Verification Operation  . . . . . . . . . .  34
     8.2.  RSASSA-PKCS1-v1_5 . . . . . . . . . . . . . . . . . . . .  35
       8.2.1.  Signature Generation Operation  . . . . . . . . . . .  36
       8.2.2.  Signature Verification Operation  . . . . . . . . . .  37
   9.  Encoding Methods for Signatures with Appendix . . . . . . . .  39
     9.1.  EMSA-PSS  . . . . . . . . . . . . . . . . . . . . . . . .  40
       9.1.1.  Encoding Operation  . . . . . . . . . . . . . . . . .  42
       9.1.2.  Verification Operation  . . . . . . . . . . . . . . .  44
     9.2.  EMSA-PKCS1-v1_5 . . . . . . . . . . . . . . . . . . . . .  45
   10. Security Considerations . . . . . . . . . . . . . . . . . . .  47
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  48
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  48
     11.2.  Informative References . . . . . . . . . . . . . . . . .  48

Top      ToC       Page 4 
   Appendix A.  ASN.1 Syntax . . . . . . . . . . . . . . . . . . . .  54
     A.1.  RSA Key Representation  . . . . . . . . . . . . . . . . .  54
       A.1.1.  RSA Public Key Syntax . . . . . . . . . . . . . . . .  54
       A.1.2.  RSA Private Key Syntax  . . . . . . . . . . . . . . .  55
     A.2.  Scheme Identification . . . . . . . . . . . . . . . . . .  57
       A.2.1.  RSAES-OAEP  . . . . . . . . . . . . . . . . . . . . .  57
       A.2.2.  RSAES-PKCS-v1_5 . . . . . . . . . . . . . . . . . . .  60
       A.2.3.  RSASSA-PSS  . . . . . . . . . . . . . . . . . . . . .  60
       A.2.4.  RSASSA-PKCS-v1_5  . . . . . . . . . . . . . . . . . .  62
   Appendix B.  Supporting Techniques  . . . . . . . . . . . . . . .  63
     B.1.  Hash Functions  . . . . . . . . . . . . . . . . . . . . .  63
     B.2.  Mask Generation Functions . . . . . . . . . . . . . . . .  66
       B.2.1.  MGF1  . . . . . . . . . . . . . . . . . . . . . . . .  67
   Appendix C.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .  68
   Appendix D.  Revision History of PKCS #1  . . . . . . . . . . . .  76
   Appendix E.  About PKCS . . . . . . . . . . . . . . . . . . . . .  77
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  78
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  78

1.  Introduction

   This document provides recommendations for the implementation of
   public-key cryptography based on the RSA algorithm [RSA], covering
   the following aspects:

   o  Cryptographic primitives

   o  Encryption schemes

   o  Signature schemes with appendix

   o  ASN.1 syntax for representing keys and for identifying the schemes

   The recommendations are intended for general application within
   computer and communications systems and as such include a fair amount
   of flexibility.  It is expected that application standards based on
   these specifications may include additional constraints.  The
   recommendations are intended to be compatible with the standards IEEE
   1363 [IEEE1363], IEEE 1363a [IEEE1363A], and ANSI X9.44 [ANSIX944].

   This document supersedes PKCS #1 version 2.1 [RFC3447] but includes
   compatible techniques.

   The organization of this document is as follows:

   o  Section 1 is an introduction.

   o  Section 2 defines some notation used in this document.

Top      ToC       Page 5 
   o  Section 3 defines the RSA public and private key types.

   o  Sections 4 and 5 define several primitives, or basic mathematical
      operations.  Data conversion primitives are in Section 4, and
      cryptographic primitives (encryption-decryption and signature-
      verification) are in Section 5.

   o  Sections 6, 7, and 8 deal with the encryption and signature
      schemes in this document.  Section 6 gives an overview.  Along
      with the methods found in PKCS #1 v1.5, Section 7 defines an
      encryption scheme based on Optimal Asymmetric Encryption Padding
      (OAEP) [OAEP], and Section 8 defines a signature scheme with
      appendix based on the Probabilistic Signature Scheme (PSS)
      [RSARABIN] [PSS].

   o  Section 9 defines the encoding methods for the signature schemes
      in Section 8.

   o  Appendix A defines the ASN.1 syntax for the keys defined in
      Section 3 and the schemes in Sections 7 and 8.

   o  Appendix B defines the hash functions and the mask generation
      function (MGF) used in this document, including ASN.1 syntax for
      the techniques.

   o  Appendix C gives an ASN.1 module.

   o  Appendices D and E outline the revision history of PKCS #1 and
      provide general information about the Public-Key Cryptography
      Standards.

   This document represents a republication of PKCS #1 v2.2 [PKCS1_22]
   from RSA Laboratories' Public-Key Cryptography Standards (PKCS)
   series.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Top      ToC       Page 6 
2.  Notation

   The notation in this document includes:

      c              ciphertext representative, an integer between 0 and
                     n-1

      C              ciphertext, an octet string

      d              RSA private exponent

      d_i            additional factor r_i's CRT exponent,
                     a positive integer such that

                       e * d_i == 1 (mod (r_i-1)), i = 3, ..., u

      dP             p's CRT exponent, a positive integer such that

                       e * dP == 1 (mod (p-1))

      dQ             q's CRT exponent, a positive integer such that

                       e * dQ == 1 (mod (q-1))

      e              RSA public exponent

      EM             encoded message, an octet string

      emBits         (intended) length in bits of an encoded message EM

      emLen          (intended) length in octets of an encoded message
                     EM

      GCD(. , .)     greatest common divisor of two nonnegative integers

      Hash           hash function

      hLen           output length in octets of hash function Hash

      k              length in octets of the RSA modulus n

      K              RSA private key

      L              optional RSAES-OAEP label, an octet string

      LCM(., ..., .) least common multiple of a list of nonnegative
                     integers

Top      ToC       Page 7 
      m              message representative, an integer between 0 and
                     n-1

      M              message, an octet string

      mask           MGF output, an octet string

      maskLen        (intended) length of the octet string mask

      MGF            mask generation function

      mgfSeed        seed from which mask is generated, an octet string

      mLen           length in octets of a message M

      n              RSA modulus, n = r_1 * r_2 * ... * r_u , u >= 2

      (n, e)         RSA public key

      p, q           first two prime factors of the RSA modulus n

      qInv           CRT coefficient, a positive integer less than
                     p such that q * qInv == 1 (mod p)

      r_i            prime factors of the RSA modulus n, including
                     r_1 = p, r_2 = q, and additional factors if any

      s              signature representative, an integer between 0 and
                     n-1

      S              signature, an octet string

      sLen           length in octets of the EMSA-PSS salt

      t_i            additional prime factor r_i's CRT coefficient, a
                     positive integer less than r_i such that

                       r_1 * r_2 * ... * r_(i-1) * t_i == 1 (mod r_i) ,

                     i = 3, ... , u

      u              number of prime factors of the RSA modulus, u >= 2

      x              a nonnegative integer

      X              an octet string corresponding to x

      xLen           (intended) length of the octet string X

Top      ToC       Page 8 
      0x             indicator of hexadecimal representation of an octet
                     or an octet string: "0x48" denotes the octet with
                     hexadecimal value 48; "(0x)48 09 0e" denotes the
                     string of three consecutive octets with hexadecimal
                     values 48, 09, and 0e, respectively

      \lambda(n)     LCM(r_1-1, r_2-1, ... , r_u-1)

      \xor           bit-wise exclusive-or of two octet strings

      \ceil(.)       ceiling function; \ceil(x) is the smallest integer
                     larger than or equal to the real number x

      ||             concatenation operator

      ==             congruence symbol; a == b (mod n) means that the
                     integer n divides the integer a - b

   Note: The Chinese Remainder Theorem (CRT) can be applied in a non-
   recursive as well as a recursive way.  In this document, a recursive
   approach following Garner's algorithm [GARNER] is used.  See also
   Note 1 in Section 3.2.

3.  Key Types

   Two key types are employed in the primitives and schemes defined in
   this document: RSA public key and RSA private key.  Together, an RSA
   public key and an RSA private key form an RSA key pair.

   This specification supports so-called "multi-prime" RSA where the
   modulus may have more than two prime factors.  The benefit of multi-
   prime RSA is lower computational cost for the decryption and
   signature primitives, provided that the CRT is used.  Better
   performance can be achieved on single processor platforms, but to a
   greater extent on multiprocessor platforms, where the modular
   exponentiations involved can be done in parallel.

   For a discussion on how multi-prime affects the security of the RSA
   cryptosystem, the reader is referred to [SILVERMAN].

3.1.  RSA Public Key

   For the purposes of this document, an RSA public key consists of two
   components:

         n        the RSA modulus, a positive integer
         e        the RSA public exponent, a positive integer

Top      ToC       Page 9 
   In a valid RSA public key, the RSA modulus n is a product of u
   distinct odd primes r_i, i = 1, 2, ..., u, where u >= 2, and the RSA
   public exponent e is an integer between 3 and n - 1 satisfying
   GCD(e,\lambda(n)) = 1, where \lambda(n) = LCM(r_1 - 1, ..., r_u - 1).
   By convention, the first two primes r_1 and r_2 may also be denoted p
   and q, respectively.

   A recommended syntax for interchanging RSA public keys between
   implementations is given in Appendix A.1.1; an implementation's
   internal representation may differ.

3.2.  RSA Private Key

   For the purposes of this document, an RSA private key may have either
   of two representations.

   1.  The first representation consists of the pair (n, d), where the
       components have the following meanings:

            n       the RSA modulus, a positive integer
            d       the RSA private exponent, a positive integer

   2.  The second representation consists of a quintuple (p, q, dP, dQ,
       qInv) and a (possibly empty) sequence of triplets (r_i, d_i,
       t_i), i = 3, ..., u, one for each prime not in the quintuple,
       where the components have the following meanings:

            p      the first factor, a positive integer
            q      the second factor, a positive integer
            dP     the first factor's CRT exponent, a positive integer
            dQ     the second factor's CRT exponent, a positive integer
            qInv   the (first) CRT coefficient, a positive integer
            r_i    the i-th factor, a positive integer
            d_i    the i-th factor's CRT exponent, a positive integer
            t_i    the i-th factor's CRT coefficient, a positive integer

   In a valid RSA private key with the first representation, the RSA
   modulus n is the same as in the corresponding RSA public key and is
   the product of u distinct odd primes r_i, i = 1, 2, ..., u, where u
   >= 2.  The RSA private exponent d is a positive integer less than n
   satisfying

      e * d == 1 (mod \lambda(n)),

   where e is the corresponding RSA public exponent and \lambda(n) is
   defined as in Section 3.1.

Top      ToC       Page 10 
   In a valid RSA private key with the second representation, the two
   factors p and q are the first two prime factors of the RSA modulus n
   (i.e., r_1 and r_2); the CRT exponents dP and dQ are positive
   integers less than p and q, respectively, satisfying

      e * dP == 1 (mod (p-1))

      e * dQ == 1 (mod (q-1)) ,

   and the CRT coefficient qInv is a positive integer less than p
   satisfying

      q * qInv == 1 (mod p).

   If u > 2, the representation will include one or more triplets (r_i,
   d_i, t_i), i = 3, ..., u.  The factors r_i are the additional prime
   factors of the RSA modulus n.  Each CRT exponent d_i (i = 3, ..., u)
   satisfies

      e * d_i == 1 (mod (r_i - 1)).

   Each CRT coefficient t_i (i = 3, ..., u) is a positive integer less
   than r_i satisfying

      R_i * t_i == 1 (mod r_i) ,

   where R_i = r_1 * r_2 * ... * r_(i-1).

   A recommended syntax for interchanging RSA private keys between
   implementations, which includes components from both representations,
   is given in Appendix A.1.2; an implementation's internal
   representation may differ.

   Notes:

   1.  The definition of the CRT coefficients here and the formulas that
       use them in the primitives in Section 5 generally follow Garner's
       algorithm [GARNER] (see also Algorithm 14.71 in [HANDBOOK]).
       However, for compatibility with the representations of RSA
       private keys in PKCS #1 v2.0 and previous versions, the roles of
       p and q are reversed compared to the rest of the primes.  Thus,
       the first CRT coefficient, qInv, is defined as the inverse of q
       mod p, rather than as the inverse of R_1 mod r_2, i.e., of
       p mod q.

   2.  Quisquater and Couvreur [FASTDEC] observed the benefit of
       applying the CRT to RSA operations.

Top      ToC       Page 11 
4.  Data Conversion Primitives

   Two data conversion primitives are employed in the schemes defined in
   this document:

   o  I2OSP - Integer-to-Octet-String primitive

   o  OS2IP - Octet-String-to-Integer primitive

   For the purposes of this document, and consistent with ASN.1 syntax,
   an octet string is an ordered sequence of octets (eight-bit bytes).
   The sequence is indexed from first (conventionally, leftmost) to last
   (rightmost).  For purposes of conversion to and from integers, the
   first octet is considered the most significant in the following
   conversion primitives.

4.1.  I2OSP

   I2OSP converts a nonnegative integer to an octet string of a
   specified length.

   I2OSP (x, xLen)

   Input:

      x        nonnegative integer to be converted

      xLen     intended length of the resulting octet string

   Output:

         X corresponding octet string of length xLen

   Error:  "integer too large"

   Steps:

      1.  If x >= 256^xLen, output "integer too large" and stop.

      2.  Write the integer x in its unique xLen-digit representation in
          base 256:

             x = x_(xLen-1) 256^(xLen-1) + x_(xLen-2) 256^(xLen-2) + ...
             + x_1 256 + x_0,

          where 0 <= x_i < 256 (note that one or more leading digits
          will be zero if x is less than 256^(xLen-1)).

Top      ToC       Page 12 
      3.  Let the octet X_i have the integer value x_(xLen-i) for 1 <= i
          <= xLen.  Output the octet string

             X = X_1 X_2 ... X_xLen.

4.2.  OS2IP

   OS2IP converts an octet string to a nonnegative integer.

   OS2IP (X)

   Input:  X octet string to be converted

   Output:  x corresponding nonnegative integer

   Steps:

      1.  Let X_1 X_2 ... X_xLen be the octets of X from first to last,
          and let x_(xLen-i) be the integer value of the octet X_i for 1
          <= i <= xLen.

      2.  Let x = x_(xLen-1) 256^(xLen-1) + x_(xLen-2) 256^(xLen-2) +
          ...  + x_1 256 + x_0.

      3.  Output x.

5.  Cryptographic Primitives

   Cryptographic primitives are basic mathematical operations on which
   cryptographic schemes can be built.  They are intended for
   implementation in hardware or as software modules and are not
   intended to provide security apart from a scheme.

   Four types of primitive are specified in this document, organized in
   pairs: encryption and decryption; and signature and verification.

   The specifications of the primitives assume that certain conditions
   are met by the inputs, in particular that RSA public and private keys
   are valid.

5.1.  Encryption and Decryption Primitives

   An encryption primitive produces a ciphertext representative from a
   message representative under the control of a public key, and a
   decryption primitive recovers the message representative from the
   ciphertext representative under the control of the corresponding
   private key.

Top      ToC       Page 13 
   One pair of encryption and decryption primitives is employed in the
   encryption schemes defined in this document and is specified here:
   RSA Encryption Primitive (RSAEP) / RSA Decryption Primitive (RSADP).
   RSAEP and RSADP involve the same mathematical operation, with
   different keys as input.  The primitives defined here are the same as
   Integer Factorization Encryption Primitive using RSA (IFEP-RSA) /
   Integer Factorization Decryption Primitive using RSA (IFDP-RSA) in
   IEEE 1363 [IEEE1363] (except that support for multi-prime RSA has
   been added) and are compatible with PKCS #1 v1.5.

   The main mathematical operation in each primitive is exponentiation.

5.1.1.  RSAEP

   RSAEP ((n, e), m)

   Input:

         (n, e) RSA public key

         m message representative, an integer between 0 and n - 1

   Output:  c ciphertext representative, an integer between 0 and n - 1

   Error:  "message representative out of range"

   Assumption:  RSA public key (n, e) is valid

   Steps:

      1.  If the message representative m is not between 0 and n - 1,
          output "message representative out of range" and stop.

      2.  Let c = m^e mod n.

      3.  Output c.

5.1.2.  RSADP

   RSADP (K, c)

   Input:

         K RSA private key, where K has one of the following forms:

         +  a pair (n, d)

Top      ToC       Page 14 
         +  a quintuple (p, q, dP, dQ, qInv) and a possibly empty
            sequence of triplets (r_i, d_i, t_i), i = 3, ..., u

         c ciphertext representative, an integer between 0 and n - 1

   Output:  m message representative, an integer between 0 and n - 1

   Error:  "ciphertext representative out of range"

   Assumption:  RSA private key K is valid

   Steps:

      1.  If the ciphertext representative c is not between 0 and n - 1,
          output "ciphertext representative out of range" and stop.

      2.  The message representative m is computed as follows.

          a.  If the first form (n, d) of K is used, let m = c^d mod n.

          b.  If the second form (p, q, dP, dQ, qInv) and (r_i, d_i,
              t_i) of K is used, proceed as follows:

              i.   Let m_1 = c^dP mod p and m_2 = c^dQ mod q.

              ii.  If u > 2, let m_i = c^(d_i) mod r_i, i = 3, ..., u.

              iii. Let h = (m_1 - m_2) * qInv mod p.

              iv.  Let m = m_2 + q * h.

              v.   If u > 2, let R = r_1 and for i = 3 to u do

                   1.  Let R = R * r_(i-1).

                   2.  Let h = (m_i - m) * t_i mod r_i.

                   3.  Let m = m + R * h.

      3.  Output m.

   Note: Step 2.b can be rewritten as a single loop, provided that one
   reverses the order of p and q.  For consistency with PKCS #1 v2.0,
   however, the first two primes p and q are treated separately from the
   additional primes.

Top      ToC       Page 15 
5.2.  Signature and Verification Primitives

   A signature primitive produces a signature representative from a
   message representative under the control of a private key, and a
   verification primitive recovers the message representative from the
   signature representative under the control of the corresponding
   public key.  One pair of signature and verification primitives is
   employed in the signature schemes defined in this document and is
   specified here: RSA Signature Primitive, version 1 (RSASP1) / RSA
   Verification Primitive, version 1 (RSAVP1).

   The primitives defined here are the same as Integer Factorization
   Signature Primitive using RSA, version 1 (IFSP-RSA1) / Integer
   Factorization Verification Primitive using RSA, version 1 (IFVP-RSA1)
   in IEEE 1363 [IEEE1363] (except that support for multi-prime RSA has
   been added) and are compatible with PKCS #1 v1.5.

   The main mathematical operation in each primitive is exponentiation,
   as in the encryption and decryption primitives of Section 5.1.
   RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the
   names of their input and output arguments; they are distinguished as
   they are intended for different purposes.

5.2.1.  RSASP1

   RSASP1 (K, m)

   Input:

      K        RSA private key, where K has one of the following forms:
               - a pair (n, d)
               - a quintuple (p, q, dP, dQ, qInv) and a (possibly empty)
                 sequence of triplets (r_i, d_i, t_i), i = 3, ..., u
      m        message representative, an integer between 0 and n - 1


   Output:

      s        signature representative, an integer between 0 and n - 1

   Error:  "message representative out of range"

   Assumption:  RSA private key K is valid

Top      ToC       Page 16 
   Steps:

      1.  If the message representative m is not between 0 and n - 1,
          output "message representative out of range" and stop.

      2.  The signature representative s is computed as follows.

          a.  If the first form (n, d) of K is used, let s = m^d mod n.

          b.  If the second form (p, q, dP, dQ, qInv) and (r_i, d_i,
              t_i) of K is used, proceed as follows:

              1.  Let s_1 = m^dP mod p and s_2 = m^dQ mod q.

              2.  If u > 2, let s_i = m^(d_i) mod r_i, i = 3, ..., u.

              3.  Let h = (s_1 - s_2) * qInv mod p.

              4.  Let s = s_2 + q * h.

              5.  If u > 2, let R = r_1 and for i = 3 to u do

                  a.  Let R = R * r_(i-1).

                  b.  Let h = (s_i - s) * t_i mod r_i.

                  c.  Let s = s + R * h.

      3.  Output s.

   Note: Step 2.b can be rewritten as a single loop, provided that one
   reverses the order of p and q.  For consistency with PKCS #1 v2.0,
   however, the first two primes p and q are treated separately from the
   additional primes.

5.2.2.  RSAVP1

   RSAVP1 ((n, e), s)

   Input:

         (n, e) RSA public key

         s signature representative, an integer between 0 and n - 1

Top      ToC       Page 17 
   Output:

         m message representative, an integer between 0 and n - 1

   Error:  "signature representative out of range"

   Assumption:  RSA public key (n, e) is valid

   Steps:

      1.  If the signature representative s is not between 0 and n - 1,
          output "signature representative out of range" and stop.

      2.  Let m = s^e mod n.

      3.  Output m.

6.  Overview of Schemes

   A scheme combines cryptographic primitives and other techniques to
   achieve a particular security goal.  Two types of scheme are
   specified in this document: encryption schemes and signature schemes
   with appendix.

   The schemes specified in this document are limited in scope in that
   their operations consist only of steps to process data with an RSA
   public or private key, and they do not include steps for obtaining or
   validating the key.  Thus, in addition to the scheme operations, an
   application will typically include key management operations by which
   parties may select RSA public and private keys for a scheme
   operation.  The specific additional operations and other details are
   outside the scope of this document.

   As was the case for the cryptographic primitives (Section 5), the
   specifications of scheme operations assume that certain conditions
   are met by the inputs, in particular that RSA public and private keys
   are valid.  The behavior of an implementation is thus unspecified
   when a key is invalid.  The impact of such unspecified behavior
   depends on the application.  Possible means of addressing key
   validation include explicit key validation by the application; key
   validation within the public-key infrastructure; and assignment of
   liability for operations performed with an invalid key to the party
   who generated the key.

   A generally good cryptographic practice is to employ a given RSA key
   pair in only one scheme.  This avoids the risk that vulnerability in
   one scheme may compromise the security of the other and may be
   essential to maintain provable security.  While RSAES-PKCS1-v1_5

Top      ToC       Page 18 
   (Section 7.2) and RSASSA-PKCS1-v1_5 (Section 8.2) have traditionally
   been employed together without any known bad interactions (indeed,
   this is the model introduced by PKCS #1 v1.5), such a combined use of
   an RSA key pair is NOT RECOMMENDED for new applications.

   To illustrate the risks related to the employment of an RSA key pair
   in more than one scheme, suppose an RSA key pair is employed in both
   RSAES-OAEP (Section 7.1) and RSAES-PKCS1-v1_5.  Although RSAES-OAEP
   by itself would resist attack, an opponent might be able to exploit a
   weakness in the implementation of RSAES-PKCS1-v1_5 to recover
   messages encrypted with either scheme.  As another example, suppose
   an RSA key pair is employed in both RSASSA-PSS (Section 8.1) and
   RSASSA-PKCS1-v1_5.  Then the security proof for RSASSA-PSS would no
   longer be sufficient since the proof does not account for the
   possibility that signatures might be generated with a second scheme.
   Similar considerations may apply if an RSA key pair is employed in
   one of the schemes defined here and in a variant defined elsewhere.



(page 18 continued on part 2)

Next Section