[cryptography] Error in PKCS #1 v2.1?

James Muir muir.james.a at gmail.com
Thu Feb 17 11:17:28 EST 2011


On 11-02-17 07:08 AM, Paul Crowley wrote:
> http://www.rsa.com/rsalabs/node.asp?id=2125
> 
> Page 27 of PKCS #1 v2.1 states (step 1):
> 
> "EMSA-PSS encoding: Apply the EMSA-PSS encoding operation (Section
> 9.1.1) to the message M to produce an encoded message EM of length
> ceil((modBits – 1)/8) octets such that the bit length of the integer
> OS2IP (EM) (see Section 4.2) is at most modBits – 1, where modBits is
> the length in bits of the RSA modulus n"
> 
> Surely where it says ceil((modBits – 1)/8) it has to mean floor((modBits
> – 1)/8)?  For a simple example, suppose the modulus were 10 bits.  Then
> ceil((modBits – 1)/8) = 2, so EM will be two bytes long, too long for a
> 10 bit modulus.  If the floor function is used, then EM will always be
> exactly the maximum length in bytes that a modulus of length modBits can
> be guaranteed to handle properly.
> 
> The same problem I think applies to the references to the ceiling
> function on pages 35 and 36. Note that where I write "ceil", the
> standard uses the usual notation for this, as defined on page 5. I can't
> find this in the errata or by searching - is this a real error, or am I
> misreading the standard?

I think the standard is correct (i.e. it is ceiling rather than floor).
 Remember that the numbers involved in the RSA computation are all
encoded as strings of octets.

In your example, a 10-bit modulus would be represented using
ceiling(10/8) = 2 octets.  And EM is represented using ceiling((10-1)/2)
= 2 octets.

-James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110217/4ef6bc6f/attachment.asc>


More information about the cryptography mailing list