最优非对称加密填充(OAEP)和PSS(Probabilistic Signature Scheme)

Optimal asymmetric encryption padding(OAEP),最优非对称加密填充，RSA的加密解密是基于OAEP的。

PSS (Probabilistic Signature Scheme) ，RSA的签名验证是基于PSS的。

The signature schemes are actually signatures with appendix, which means that rather than signing some input data directly a hash function is used first to produce an intermediary representation of the data and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign.

 

RSAES-OAEP: improved encryption/decryption scheme。
RSASSA-PSS: improved probabilistic signature scheme with appendix;
EMSA-PSS: encoding method for signature appendix, probabilistic signature scheme.

In cryptography, Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway.[1]

The OAEP algorithm is a form of Feistel network which uses a pair of random oracles G and H to process the plaintext prior to asymmetric encryption. When combined with any secure trapdoor one-way permutation f, this processing is proved in the random oracle model to result in a combined scheme which is semantically secure under chosen plaintext attack (IND-CPA). When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also proved secure against chosen ciphertext attack. OAEP can be used to build an all-or-nothing transform.

OAEP satisfies the following two goals:
Add an element of randomness which can be used to convert a deterministic encryption scheme (e.g., traditional RSA) into a probabilistic scheme.
Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the trapdoor one-way permutation f.

The original version of OAEP (Bellare/Rogaway, 1994) showed a form of "plaintext awareness" (which they claimed implies security against chosen ciphertext attack) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this claim, showing that OAEP was only IND-CCA1 secure. However, the original scheme was proved in the random oracle model to be IND-CCA2 secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP. [2] An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by Victor Shoup to solve this problem.[3] More recent work has shown that in the standard model (that is, when hash functions are not modelled as random oracles), that it is impossible to prove the IND-CCA2 security of RSA-OAEP under the assumed hardness of the RSA problem

 

In the diagram,
n is the number of bits in the RSA modulus.
k0 and k1 are integers fixed by the protocol.
m is the plaintext message, an (n − k0 − k1 )-bit string
G and H are typically some cryptographic hash functions fixed by the protocol.

To encode,
messages are padded with k1 zeros to be n − k0 bits in length.
r is a random k0-bit string
G expands the k0 bits of r to n − k0 bits.
X = m00..0 ⊕ G(r)
H reduces the n − k0 bits of X to k0 bits.
Y = r ⊕ H(X)
The output is X || Y where X is shown in the diagram as the leftmost block and Y as the rightmost block.

To decode,
recover the random string as r = Y ⊕ H(X)
recover the message as m00..0 = X ⊕ G(r)

The "all-or-nothing" security is from the fact that to recover m, you must recover the entire X and the entire Y; X is required to recover r from Y, and r is required to recover m from X. Since any bit of a cryptographic hash completely changes the result, the entire X, and the entire Y must both be completely recovered.