2

I am using OAEP in a project and I want the resulting number of bits (n) to be 288 bits. Most of the implementations online seem to be for 1024 bits and using SHA-256 and I was wondering if truncating the number of bits in the G and H functions and then xoring would result in any security issues such as an increased probability for a collision to occur.

Edit: So in my example, n = 288, k0 = 72. For r, I am using a system random generator from the python library: SystemRandom().getrandbits(k0BitsInt)

Code:

Here is my implementation, a bit messy and uses Sagemath because I want to encrypt using finite fields. But the padding should look the same.

Could you help me with this. Thanks

Toncu Vlad
  • 21
  • 2
  • What are the consequences of removing a single byte from a sha256 hash? might help you about truncating a hash function. – kelalaka Jan 28 '19 at 18:47
  • It is not RSA, it is a different encryption mechanism that I am looking through for my dissertation and it generates a 288 bits encrypted message – Toncu Vlad Jan 28 '19 at 18:55
  • So in my example, n = 288, k0 = 72. For r, I am using a system random generator from the python library: SystemRandom().getrandbits(k0BitsInt). Is there anything more that you would like? I also have some code that I will edit in the main question. – Toncu Vlad Jan 28 '19 at 19:07
  • 1
    I think the answer really depends on your encryption scheme. Wait for some other responses. – kelalaka Jan 28 '19 at 19:23
  • 2
    I've used OAEP within ECC / ElGamal using a truncated hash before. However, I'm not sure about the XOR you are proposing and I'm afraid that just reading the code may trick me into overlooking some possible details. Could you describe your method more formally? P.S. if you are trying to use OAEP with ECC you are obviously not the first, no need to keep that secret. The initial paper on OAEP was pretty generic as well, actually proving it to be secure with RSA proved harder than the generic case, if I remember correctly. – Maarten Bodewes Jan 29 '19 at 01:30
  • I am not using it with ECC, it is a multivariate system that has been proposed to NIST and the XOR should be exactly the one described in the OAEP paper, I have not made any changes to it apart from truncating the G and H output to match the required number of bits. – Toncu Vlad Jan 29 '19 at 09:40

0 Answers0