Cryptology ePrint Archive: Report 2002/115

Universal Padding Schemes for RSA

Jean-Sébastien Coron and Marc Joye and David Naccache and Pascal Paillier

Abstract: A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.

Category / Keywords: public-key cryptography / Provable Security, PSS

Publication Info: Paper published at Crypto 2002

Date: received 12 Aug 2002

Contact author: coron at clipper ens fr

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation

Version: 20020812:201956 (All versions of this report)

Short URL: ia.cr/2002/115

Discussion forum: Show discussion | Start new discussion