NIST and other - mainly older - standards often don't just mention PKCS#1 RSA algorithms but also X9.31 RSA algorithms.
What are the differences between X9.31 and PKCS#1 (v2.1) with regards to
Well, there are indeed differences between the two standards, as you can see below:
- key pair generation
X9.31 requires that $p-1$, $p+1$, $q-1$, $q+1$ all have prime factors between $2^{100}$ and $2^{120}$, and that $p$ and $q$ differ in at least one of the first 100 bits. These requirements are there to frustrate suboptimal factoring methods, and have been inherited (albeit in an adjusted form) by FIPS 186.
X9.31 requires that $e$ be between 2 (well, 3 for RSA) and $2^{k-160}$ (where the modulus is $k$ bits); that is, it forbids public exponents close to the size of the modulus.
PKCS #1 does not list any specific requirements on key generation.
- signature generation
X9.31 lists a deterministic signature padding format of the form: 0x6bbbbbb...bbba[hash][hash code], where [hash] is where you insert the hash, [hash code] is a 16 bit value that encodes the hash type, and there are enough b digits to make the value precisely fill the block. BTW: since X9.31 assumes that the key size is one of a specific set of values, all of which are multiples of 4, there's no problem with the leading hex digit being '6'.
PKCS #1 lists rather different signature padding types; RSASSA-PSS (which is a probabilitic signature type), and RSASSA-PKCS1-v1_5 (which is deterministic).
I've never actually seen the X9.31 padding format used in practice.
- encryption
X9.31 does not address encryption at all.
