[cryptography] Error in PKCS #1 v2.1?

Paul Crowley paul at ciphergoth.org
Thu Feb 17 07:08:16 EST 2011


Page 27 of PKCS #1 v2.1 states (step 1):

"EMSA-PSS encoding: Apply the EMSA-PSS encoding operation (Section 
9.1.1) to the message M to produce an encoded message EM of length 
ceil((modBits – 1)/8) octets such that the bit length of the integer 
OS2IP (EM) (see Section 4.2) is at most modBits – 1, where modBits is 
the length in bits of the RSA modulus n"

Surely where it says ceil((modBits – 1)/8) it has to mean floor((modBits 
– 1)/8)?  For a simple example, suppose the modulus were 10 bits.  Then 
ceil((modBits – 1)/8) = 2, so EM will be two bytes long, too long for a 
10 bit modulus.  If the floor function is used, then EM will always be 
exactly the maximum length in bytes that a modulus of length modBits can 
be guaranteed to handle properly.

The same problem I think applies to the references to the ceiling 
function on pages 35 and 36. Note that where I write "ceil", the 
standard uses the usual notation for this, as defined on page 5. I can't 
find this in the errata or by searching - is this a real error, or am I 
misreading the standard?

\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/

More information about the cryptography mailing list