[cryptography] Error in PKCS #1 v2.1?
paul at ciphergoth.org
Thu Feb 17 07:08:16 EST 2011
Page 27 of PKCS #1 v2.1 states (step 1):
"EMSA-PSS encoding: Apply the EMSA-PSS encoding operation (Section
9.1.1) to the message M to produce an encoded message EM of length
ceil((modBits – 1)/8) octets such that the bit length of the integer
OS2IP (EM) (see Section 4.2) is at most modBits – 1, where modBits is
the length in bits of the RSA modulus n"
Surely where it says ceil((modBits – 1)/8) it has to mean floor((modBits
– 1)/8)? For a simple example, suppose the modulus were 10 bits. Then
ceil((modBits – 1)/8) = 2, so EM will be two bytes long, too long for a
10 bit modulus. If the floor function is used, then EM will always be
exactly the maximum length in bytes that a modulus of length modBits can
be guaranteed to handle properly.
The same problem I think applies to the references to the ceiling
function on pages 35 and 36. Note that where I write "ceil", the
standard uses the usual notation for this, as defined on page 5. I can't
find this in the errata or by searching - is this a real error, or am I
misreading the standard?
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the cryptography