International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Universal Padding Schemes for RSA

Jean-S├ębastien Coron
Marc Joye
David Naccache
Pascal Paillier
Search ePrint
Search Google
Abstract: A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.
  title={Universal Padding Schemes for RSA},
  booktitle={IACR Eprint archive},
  keywords={public-key cryptography / Provable Security, PSS},
  note={Paper published at Crypto 2002 11911 received 12 Aug 2002},
  author={Jean-S├ębastien Coron and Marc Joye and David Naccache and Pascal Paillier},