Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 3447

Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1

Pages: 72
Obsoletes:  2437
Obsoleted by:  8017
Part 1 of 3 – Pages 1 to 14
None   None   Next

ToP   noToC   RFC3447 - Page 1
Network Working Group                                         J. Jonsson
Request for Comments: 3447                                    B. Kaliski
Obsoletes: 2437                                         RSA Laboratories
Category: Informational                                    February 2003


     Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
                      Specifications Version 2.1

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

This memo represents a republication of PKCS #1 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document is taken directly from the PKCS #1 v2.1 document, with certain corrections made during the publication process.

Table of Contents

1. Introduction...............................................2 2. Notation...................................................3 3. Key types..................................................6 3.1 RSA public key..........................................6 3.2 RSA private key.........................................7 4. Data conversion primitives.................................8 4.1 I2OSP...................................................9 4.2 OS2IP...................................................9 5. Cryptographic primitives..................................10 5.1 Encryption and decryption primitives...................10 5.2 Signature and verification primitives..................12 6. Overview of schemes.......................................14 7. Encryption schemes........................................15 7.1 RSAES-OAEP.............................................16 7.2 RSAES-PKCS1-v1_5.......................................23 8. Signature schemes with appendix...........................27 8.1 RSASSA-PSS.............................................29 8.2 RSASSA-PKCS1-v1_5......................................32 9. Encoding methods for signatures with appendix.............35
ToP   noToC   RFC3447 - Page 2
      9.1      EMSA-PSS...............................................36
      9.2      EMSA-PKCS1-v1_5........................................41
   Appendix A. ASN.1 syntax...........................................44
      A.1      RSA key representation.................................44
      A.2      Scheme identification..................................46
   Appendix B. Supporting techniques..................................52
      B.1      Hash functions.........................................52
      B.2      Mask generation functions..............................54
   Appendix C. ASN.1 module...........................................56
   Appendix D. Intellectual Property Considerations...................63
   Appendix E. Revision history.......................................64
   Appendix F. References.............................................65
   Appendix G. About PKCS.............................................70
   Appendix H. Corrections Made During RFC Publication Process........70
   Security Considerations............................................70
   Acknowledgements...................................................71
   Authors' Addresses.................................................71
   Full Copyright Statement...........................................72

1. Introduction

This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm [42], covering the following aspects: * Cryptographic primitives * Encryption schemes * Signature schemes with appendix * ASN.1 syntax for representing keys and for identifying the schemes The recommendations are intended for general application within computer and communications systems, and as such include a fair amount of flexibility. It is expected that application standards based on these specifications may include additional constraints. The recommendations are intended to be compatible with the standard IEEE-1363-2000 [26] and draft standards currently being developed by the ANSI X9F1 [1] and IEEE P1363 [27] working groups. This document supersedes PKCS #1 version 2.0 [35][44] but includes compatible techniques.
ToP   noToC   RFC3447 - Page 3
   The organization of this document is as follows:

    * Section 1 is an introduction.

    * Section 2 defines some notation used in this document.

    * Section 3 defines the RSA public and private key types.

    * Sections 4 and 5 define several primitives, or basic mathematical
      operations.  Data conversion primitives are in Section 4, and
      cryptographic primitives (encryption-decryption, signature-
      verification) are in Section 5.

    * Sections 6, 7, and 8 deal with the encryption and signature
      schemes in this document.  Section 6 gives an overview.  Along
      with the methods found in PKCS #1 v1.5, Section 7 defines an
      OAEP-based [3] encryption scheme and Section 8 defines a PSS-based
      [4][5] signature scheme with appendix.

    * Section 9 defines the encoding methods for the signature schemes
      in Section 8.

    * Appendix A defines the ASN.1 syntax for the keys defined in
      Section 3 and the schemes in Sections 7 and 8.

    * Appendix B defines the hash functions and the mask generation
      function used in this document, including ASN.1 syntax for the
      techniques.

    * Appendix C gives an ASN.1 module.

    * Appendices D, E, F and G cover intellectual property issues,
      outline the revision history of PKCS #1, give references to other
      publications and standards, and provide general information about
      the Public-Key Cryptography Standards.

2. Notation

c ciphertext representative, an integer between 0 and n-1 C ciphertext, an octet string d RSA private exponent
ToP   noToC   RFC3447 - Page 4
   d_i            additional factor r_i's CRT exponent, a positive
                  integer such that

                    e * d_i == 1 (mod (r_i-1)), i = 3, ..., u

   dP             p's CRT exponent, a positive integer such that

                    e * dP == 1 (mod (p-1))

   dQ             q's CRT exponent, a positive integer such that

                    e * dQ == 1 (mod (q-1))

   e              RSA public exponent

   EM             encoded message, an octet string

   emBits         (intended) length in bits of an encoded message EM

   emLen          (intended) length in octets of an encoded message EM

   GCD(. , .)     greatest common divisor of two nonnegative integers

   Hash           hash function

   hLen           output length in octets of hash function Hash

   k              length in octets of the RSA modulus n

   K              RSA private key

   L              optional RSAES-OAEP label, an octet string

   LCM(., ..., .) least common multiple of a list of nonnegative
                  integers

   m              message representative, an integer between 0 and n-1

   M              message, an octet string

   mask           MGF output, an octet string

   maskLen        (intended) length of the octet string mask

   MGF            mask generation function

   mgfSeed        seed from which mask is generated, an octet string
ToP   noToC   RFC3447 - Page 5
   mLen           length in octets of a message M

   n              RSA modulus, n = r_1 * r_2 * ... * r_u , u >= 2

   (n, e)         RSA public key

   p, q           first two prime factors of the RSA modulus n

   qInv           CRT coefficient, a positive integer less than p such
                  that

                    q * qInv == 1 (mod p)

   r_i            prime factors of the RSA modulus n, including r_1 = p,
                  r_2 = q, and additional factors if any

   s              signature representative, an integer between 0 and n-1

   S              signature, an octet string

   sLen           length in octets of the EMSA-PSS salt

   t_i            additional prime factor r_i's CRT coefficient, a
                  positive integer less than r_i such that

                    r_1 * r_2 * ... * r_(i-1) * t_i == 1 (mod r_i) ,

                  i = 3, ... , u

   u              number of prime factors of the RSA modulus, u >= 2

   x              a nonnegative integer

   X              an octet string corresponding to x

   xLen           (intended) length of the octet string X

   0x             indicator of hexadecimal representation of an octet or
                  an octet string; "0x48" denotes the octet with
                  hexadecimal value 48; "(0x)48 09 0e" denotes the
                  string of three consecutive octets with hexadecimal
                  value 48, 09, and 0e, respectively

   \lambda(n)     LCM(r_1-1, r_2-1, ... , r_u-1)

   \xor           bit-wise exclusive-or of two octet strings
ToP   noToC   RFC3447 - Page 6
   \ceil(.)       ceiling function; \ceil(x) is the smallest integer
                  larger than or equal to the real number x

   ||             concatenation operator

   ==             congruence symbol; a == b (mod n) means that the
                  integer n divides the integer a - b

   Note.  The CRT can be applied in a non-recursive as well as a
   recursive way.  In this document a recursive approach following
   Garner's algorithm [22] is used.  See also Note 1 in Section 3.2.

3. Key types

Two key types are employed in the primitives and schemes defined in this document: RSA public key and RSA private key. Together, an RSA public key and an RSA private key form an RSA key pair. This specification supports so-called "multi-prime" RSA where the modulus may have more than two prime factors. The benefit of multi- prime RSA is lower computational cost for the decryption and signature primitives, provided that the CRT (Chinese Remainder Theorem) is used. Better performance can be achieved on single processor platforms, but to a greater extent on multiprocessor platforms, where the modular exponentiations involved can be done in parallel. For a discussion on how multi-prime affects the security of the RSA cryptosystem, the reader is referred to [49].

3.1 RSA public key

For the purposes of this document, an RSA public key consists of two components: n the RSA modulus, a positive integer e the RSA public exponent, a positive integer In a valid RSA public key, the RSA modulus n is a product of u distinct odd primes r_i, i = 1, 2, ..., u, where u >= 2, and the RSA public exponent e is an integer between 3 and n - 1 satisfying GCD(e, \lambda(n)) = 1, where \lambda(n) = LCM(r_1 - 1, ..., r_u - 1). By convention, the first two primes r_1 and r_2 may also be denoted p and q respectively. A recommended syntax for interchanging RSA public keys between implementations is given in Appendix A.1.1; an implementation's internal representation may differ.
ToP   noToC   RFC3447 - Page 7

3.2 RSA private key

For the purposes of this document, an RSA private key may have either of two representations. 1. The first representation consists of the pair (n, d), where the components have the following meanings: n the RSA modulus, a positive integer d the RSA private exponent, a positive integer 2. The second representation consists of a quintuple (p, q, dP, dQ, qInv) and a (possibly empty) sequence of triplets (r_i, d_i, t_i), i = 3, ..., u, one for each prime not in the quintuple, where the components have the following meanings: p the first factor, a positive integer q the second factor, a positive integer dP the first factor's CRT exponent, a positive integer dQ the second factor's CRT exponent, a positive integer qInv the (first) CRT coefficient, a positive integer r_i the i-th factor, a positive integer d_i the i-th factor's CRT exponent, a positive integer t_i the i-th factor's CRT coefficient, a positive integer In a valid RSA private key with the first representation, the RSA modulus n is the same as in the corresponding RSA public key and is the product of u distinct odd primes r_i, i = 1, 2, ..., u, where u >= 2. The RSA private exponent d is a positive integer less than n satisfying e * d == 1 (mod \lambda(n)), where e is the corresponding RSA public exponent and \lambda(n) is defined as in Section 3.1. In a valid RSA private key with the second representation, the two factors p and q are the first two prime factors of the RSA modulus n (i.e., r_1 and r_2), the CRT exponents dP and dQ are positive integers less than p and q respectively satisfying e * dP == 1 (mod (p-1)) e * dQ == 1 (mod (q-1)) , and the CRT coefficient qInv is a positive integer less than p satisfying q * qInv == 1 (mod p).
ToP   noToC   RFC3447 - Page 8
   If u > 2, the representation will include one or more triplets (r_i,
   d_i, t_i), i = 3, ..., u.  The factors r_i are the additional prime
   factors of the RSA modulus n.  Each CRT exponent d_i (i = 3, ..., u)
   satisfies

      e * d_i == 1 (mod (r_i - 1)).

   Each CRT coefficient t_i (i = 3, ..., u) is a positive integer less
   than r_i satisfying

      R_i * t_i == 1 (mod r_i) ,

   where R_i = r_1 * r_2 * ... * r_(i-1).

   A recommended syntax for interchanging RSA private keys between
   implementations, which includes components from both representations,
   is given in Appendix A.1.2; an implementation's internal
   representation may differ.

   Notes.

   1. The definition of the CRT coefficients here and the formulas that
      use them in the primitives in Section 5 generally follow Garner's
      algorithm [22] (see also Algorithm 14.71 in [37]). However, for
      compatibility with the representations of RSA private keys in PKCS
      #1 v2.0 and previous versions, the roles of p and q are reversed
      compared to the rest of the primes.  Thus, the first CRT
      coefficient, qInv, is defined as the inverse of q mod p, rather
      than as the inverse of R_1 mod r_2, i.e., of p mod q.

   2. Quisquater and Couvreur [40] observed the benefit of applying the
      Chinese Remainder Theorem to RSA operations.

4. Data conversion primitives

Two data conversion primitives are employed in the schemes defined in this document: * I2OSP - Integer-to-Octet-String primitive * OS2IP - Octet-String-to-Integer primitive For the purposes of this document, and consistent with ASN.1 syntax, an octet string is an ordered sequence of octets (eight-bit bytes). The sequence is indexed from first (conventionally, leftmost) to last (rightmost). For purposes of conversion to and from integers, the first octet is considered the most significant in the following conversion primitives.
ToP   noToC   RFC3447 - Page 9

4.1 I2OSP

I2OSP converts a nonnegative integer to an octet string of a specified length. I2OSP (x, xLen) Input: x nonnegative integer to be converted xLen intended length of the resulting octet string Output: X corresponding octet string of length xLen Error: "integer too large" Steps: 1. If x >= 256^xLen, output "integer too large" and stop. 2. Write the integer x in its unique xLen-digit representation in base 256: x = x_(xLen-1) 256^(xLen-1) + x_(xLen-2) 256^(xLen-2) + ... + x_1 256 + x_0, where 0 <= x_i < 256 (note that one or more leading digits will be zero if x is less than 256^(xLen-1)). 3. Let the octet X_i have the integer value x_(xLen-i) for 1 <= i <= xLen. Output the octet string X = X_1 X_2 ... X_xLen.

4.2 OS2IP

OS2IP converts an octet string to a nonnegative integer. OS2IP (X) Input: X octet string to be converted Output: x corresponding nonnegative integer
ToP   noToC   RFC3447 - Page 10
   Steps:

   1. Let X_1 X_2 ... X_xLen be the octets of X from first to last,
      and let x_(xLen-i) be the integer value of the octet X_i for
      1 <= i <= xLen.

   2. Let x = x_(xLen-1) 256^(xLen-1) + x_(xLen-2) 256^(xLen-2) + ...
      + x_1 256 + x_0.

   3. Output x.

5. Cryptographic primitives

Cryptographic primitives are basic mathematical operations on which cryptographic schemes can be built. They are intended for implementation in hardware or as software modules, and are not intended to provide security apart from a scheme. Four types of primitive are specified in this document, organized in pairs: encryption and decryption; and signature and verification. The specifications of the primitives assume that certain conditions are met by the inputs, in particular that RSA public and private keys are valid.

5.1 Encryption and decryption primitives

An encryption primitive produces a ciphertext representative from a message representative under the control of a public key, and a decryption primitive recovers the message representative from the ciphertext representative under the control of the corresponding private key. One pair of encryption and decryption primitives is employed in the encryption schemes defined in this document and is specified here: RSAEP/RSADP. RSAEP and RSADP involve the same mathematical operation, with different keys as input. The primitives defined here are the same as IFEP-RSA/IFDP-RSA in IEEE Std 1363-2000 [26] (except that support for multi-prime RSA has been added) and are compatible with PKCS #1 v1.5. The main mathematical operation in each primitive is exponentiation.
ToP   noToC   RFC3447 - Page 11

5.1.1 RSAEP

RSAEP ((n, e), m) Input: (n, e) RSA public key m message representative, an integer between 0 and n - 1 Output: c ciphertext representative, an integer between 0 and n - 1 Error: "message representative out of range" Assumption: RSA public key (n, e) is valid Steps: 1. If the message representative m is not between 0 and n - 1, output "message representative out of range" and stop. 2. Let c = m^e mod n. 3. Output c.

5.1.2 RSADP

RSADP (K, c) Input: K RSA private key, where K has one of the following forms: - a pair (n, d) - a quintuple (p, q, dP, dQ, qInv) and a possibly empty sequence of triplets (r_i, d_i, t_i), i = 3, ..., u c ciphertext representative, an integer between 0 and n - 1 Output: m message representative, an integer between 0 and n - 1 Error: "ciphertext representative out of range" Assumption: RSA private key K is valid
ToP   noToC   RFC3447 - Page 12
   Steps:

   1. If the ciphertext representative c is not between 0 and n - 1,
      output "ciphertext representative out of range" and stop.

   2. The message representative m is computed as follows.

      a. If the first form (n, d) of K is used, let m = c^d mod n.

      b. If the second form (p, q, dP, dQ, qInv) and (r_i, d_i, t_i)
         of K is used, proceed as follows:

         i.    Let m_1 = c^dP mod p and m_2 = c^dQ mod q.

         ii.   If u > 2, let m_i = c^(d_i) mod r_i, i = 3, ..., u.

         iii.  Let h = (m_1 - m_2) * qInv mod p.

         iv.   Let m = m_2 + q * h.

         v.    If u > 2, let R = r_1 and for i = 3 to u do

                  1. Let R = R * r_(i-1).

                  2. Let h = (m_i - m) * t_i mod r_i.

                  3. Let m = m + R * h.

   3.   Output m.

   Note.  Step 2.b can be rewritten as a single loop, provided that one
   reverses the order of p and q.  For consistency with PKCS #1 v2.0,
   however, the first two primes p and q are treated separately from
   the additional primes.

5.2 Signature and verification primitives

A signature primitive produces a signature representative from a message representative under the control of a private key, and a verification primitive recovers the message representative from the signature representative under the control of the corresponding public key. One pair of signature and verification primitives is employed in the signature schemes defined in this document and is specified here: RSASP1/RSAVP1. The primitives defined here are the same as IFSP-RSA1/IFVP-RSA1 in IEEE 1363-2000 [26] (except that support for multi-prime RSA has been added) and are compatible with PKCS #1 v1.5.
ToP   noToC   RFC3447 - Page 13
   The main mathematical operation in each primitive is
   exponentiation, as in the encryption and decryption primitives of
   Section 5.1.  RSASP1 and RSAVP1 are the same as RSADP and RSAEP
   except for the names of their input and output arguments; they are
   distinguished as they are intended for different purposes.

5.2.1 RSASP1

RSASP1 (K, m) Input: K RSA private key, where K has one of the following forms: - a pair (n, d) - a quintuple (p, q, dP, dQ, qInv) and a (possibly empty) sequence of triplets (r_i, d_i, t_i), i = 3, ..., u m message representative, an integer between 0 and n - 1 Output: s signature representative, an integer between 0 and n - 1 Error: "message representative out of range" Assumption: RSA private key K is valid Steps: 1. If the message representative m is not between 0 and n - 1, output "message representative out of range" and stop. 2. The signature representative s is computed as follows. a. If the first form (n, d) of K is used, let s = m^d mod n. b. If the second form (p, q, dP, dQ, qInv) and (r_i, d_i, t_i) of K is used, proceed as follows: i. Let s_1 = m^dP mod p and s_2 = m^dQ mod q. ii. If u > 2, let s_i = m^(d_i) mod r_i, i = 3, ..., u. iii. Let h = (s_1 - s_2) * qInv mod p. iv. Let s = s_2 + q * h. v. If u > 2, let R = r_1 and for i = 3 to u do 1. Let R = R * r_(i-1).
ToP   noToC   RFC3447 - Page 14
                  2. Let h = (s_i - s) * t_i mod r_i.

                  3. Let s = s + R * h.

   3. Output s.

   Note.  Step 2.b can be rewritten as a single loop, provided that one
   reverses the order of p and q.  For consistency with PKCS #1 v2.0,
   however, the first two primes p and q are treated separately from the
   additional primes.

5.2.2 RSAVP1

RSAVP1 ((n, e), s) Input: (n, e) RSA public key s signature representative, an integer between 0 and n - 1 Output: m message representative, an integer between 0 and n - 1 Error: "signature representative out of range" Assumption: RSA public key (n, e) is valid Steps: 1. If the signature representative s is not between 0 and n - 1, output "signature representative out of range" and stop. 2. Let m = s^e mod n. 3. Output m.


(page 14 continued on part 2)

Next Section