0

If we were observing how many bits are taken from a random number source, what is the total number of bits required for creating a 4096 bit key using a current RSA implementation? This means the total of the number of bits for finding the random primes P and Q, and the random number for the OAEP (padding), and any other random bits that might be needed that I'm not yet aware of.

Thanks!

daniel
  • 912
  • 5
  • 15
  • Key generation does not involve OAEP. OAEP only applies when you encrypt data. – CodesInChaos Nov 14 '17 at 10:51
  • 1
    You never really need more than 256 bits of entropy you use to seed a CSPRNG. – CodesInChaos Nov 14 '17 at 10:53
  • @CodesInChaos Isn't that effectively a 256 bit key then? It's the old underlying entropy input thing. Couldn't you (in extremis) use an 8 bit seed to generate a 32 Kbit RSA key? – Paul Uszak Nov 14 '17 at 11:03
  • i was asking because of the question https://crypto.stackexchange.com/q/53118/6417 I'm not even sure the bit length of the key that you get from a 4096 bit RSA, 128 ish? – daniel Nov 14 '17 at 11:06
  • 1
    For that just look at https://keylength.com. Note that there is a difference between the key size (the size of the modulus for RSA: 4096 in your case), the effective strength in bits (slightly upwards of 128 bits indeed) and the encoded size of an RSA key (depends on the encoding scheme). – Maarten Bodewes Nov 14 '17 at 11:07
  • @PaulUszak Even accounting for multi-target attacks, a 256-bit seed is stronger than a 4096-bit RSA key, and thus using a secure stream cipher with a 256-bit key to generate a 4096-bit RSA key does not weaken security. In general I recommend 256-bit keys as a safe "immune from brute-force attacks" choice. – CodesInChaos Nov 14 '17 at 11:31
  • @CodesInChaos for me that's adding a complicated thing where you don't have to, there have been compromised CSPRNG that would then weaken the whole system if used. – daniel Nov 14 '17 at 11:41
  • @daniel You always have to post-process raw entropy sources. Might as well use a standard CSPRNG design to do so. – CodesInChaos Nov 14 '17 at 11:52
  • @CodesInChaos that just avoids answering the question. For formal definitions such as Information-theoretic security there is a difference between using a TRNG and a PRNG. – daniel Nov 14 '17 at 11:56
  • @daniel 1) RSA does not offer information theoretical security. 2) Are you asking about the entropy of an RSA key (should be around 4072 bits for a 4096-bit key), or are asking about how much randomness a typical implementation might consume? Since randomness is cheap, an implementation can easily consume a lot of entropy it effectively throws away. For example by generating random 2048 bit numbers and checking if they're prime, repeated until it is. Plus the Rabin-Miller test is typically randomized as well. – CodesInChaos Nov 14 '17 at 11:59
  • 1
    @CodesInChaos 1) if every other part of a hybrid crypto system did offer informational theoretical security then we know the RSA problem is the only attackable part. 2) I am asking about how much randomness a typical implementation might consume. One of the two points people usually bring up about the OTP is how randomness is not cheap. Yep that is another possible consumer of random bits I did not think about! recycling thrown away random bits is another interesting topic, a tiny example https://math.stackexchange.com/q/2243304/438622 – daniel Nov 14 '17 at 12:06
  • @daniel OAEP relies on a hash function behaving like a random oracle. Which is already a much stronger assumption than it behaving like a PRF, as you'd need for a CSPRNG. – CodesInChaos Nov 14 '17 at 13:05
  • Random numbers are usually not expensive or difficult to generate (at least when even thinking about using OTP) - the reason why OTP is completely unusable in practice is key management. – tylo Nov 14 '17 at 16:33
  • Funny you say that. If there is any operation that brought my machines to a standstill then it is depleting /dev/random. Nowadays processors have special instructions, but otherwise getting "true" random values can be painfully slow. And when it comes to using a PRNG then 1) you lose the theoretical security and 2) a stream cipher will be much faster. – Maarten Bodewes Nov 14 '17 at 18:59

1 Answers1

2

For creating an RSA key pair you need an undefined number of random bytes from the source. The reason for this is that finding primes is indeterministic and hence it may be required that multiple random large numbers are required. In the end this also depends on the details of the key pair generator used.

However, it is possible to use a well seeded DRBG / PRNG for the key pair generation process. A PRNG is a deterministic or pseudo random number generator; it depends on the entropy of the seeds to generate a computationally random stream of bytes. That is: only the seed is truly random, but to an attacker the output of the PRNG is indistinguishable from random.

If a secure PRNG is used then using 256 bits of seed is all you need; for constrained systems you could even bring this down to 128 bits (at the cost of a lower security margin, of course). So if your system has issues generating large amounts of randomness you could seed your own PRNG and inject it into the RSA key pair generator - if that's possible for your runtime.

OAEP is a padding scheme independent on the key pair generation. That is: the calculations performed for key pair generation do not rely on the calculations performed by OAEP. OAEP may be performed on any secure RSA key pair, as many times as required. As per specification it uses hLen random bytes per usage, which means 32 bytes when SHA-256 is used and 64 bytes for SHA-512.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • I'm not sure how to change my question, but I was after the number of bits after the PRNG if one was used. LIke imagining the random source was either a PRNG or a list of physical coin flips, or anything. Pretty much asking how infeasible is it to use OTP as the symmetric cryptosystem in a hybrid, in terms of random number generation. – daniel Nov 14 '17 at 11:10
  • Do you mean just how many bits can be encrypted by OAEP + the randomness introduced into OAEP? – Maarten Bodewes Nov 14 '17 at 11:13
  • No I was thinking OAEP would likely be used if you were trying to RSA across a key, that you would later use for a OTP (and would then be something else consuming the output of the RNG). if there is a common RSA implementation that doesn't use OAEP then its a red herring. – daniel Nov 14 '17 at 11:16
  • "RSA across a key" doesn't make any sense to me. You mean you want to use the output of RSA/OAEP as key? Then you would have a pretty well distributed output of hLen bytes worth of entropy. There is PKCS#1 v1.5 padding, RSA KEM and OAEP, but I don't understand where you are going with that last sentence either. OK, gotta move, will reply more in evening time. – Maarten Bodewes Nov 14 '17 at 11:20