Sub-Optimal Asymmetric Encryption Padding

                                                           Titaniumcore Project
Atsushi Oka [ ]                                       Jan 10,2009

    Sub-Optimal Asymmetric Encryption Padding(SOAEP) is a padding scheme for
    RSA encryption which I designed. SOAEP is based on OAEP.  The main
    difference is : OAEP uses cryptographic hash function to make the
    message probabilistic.  SOAEP uses block-cipher algorithm instead of it.

    There is no proof or evidence that this idea works as well as OAEP but
    it probably works as well because basically SOAEP shares same idea with
    OAEP. And perhaps SOAEP is more secure than OAEP since it uses a
    block-cipher algorithms instead of hash functions. It is probably slower
    than OAEP since SOAEP needs more complex calculation.

    The purpose of designing new RSA encryption padding scheme is firstly
    just simplification. I just want to make everything simplify and easy to
    understand in order to full-implement by myself. 

    Second, I feel strange that OAEP encrypts messages by XORing with a
    result of a hash function. I feel that it is more direct to encrypt it
    by a block-cipher algorithm. Though I am not sure it is really better or
    not since I am no a cryptographer.
    At last, And I also intend to make the specification under my control to
    convey some compatibilities to other schemes in Titaniumcore project. 

    In this document, I present a description of the algorithm. I also
    present an JavaScript implementation which you can refer in the attached
    file SOAEP.js.

    - M is a message.
    - L is length of the RSA key modulus.
    - BL is block length which is an arbitrary divisor of L.
    - D is a buffer which length is L.

    Assume the D is divided into blocks in which each block's length is BL.

    v0                                  v(L-2BL)    v(L-BL)     v(L)
  D |-----------|-----------|-----------|-----------|-----------|
      BLOCK(1)    BLOCK(2)    BLOCK(N-2)  BLOCK(N-1)  BLOCK(N) 



    1. Generate a random string token R which length is B. Then copy it to BLOCK(N).
    2. Copy the message M to D from index 0.
    3. (Optional) Write 0x80 the end position of the message as bit-padding-scheme.
    4. Fill 0 on the rest of the buffer.

    5. Encrypt D. Use BLOCK(N) as a key. Start encryption from BLOCK(N-1) and direct to
       BLOCK(1) with CBC mode. Use BLOCK(N-1) as an initialization vector.

    6. Encrypt D again. Use BLOCK(1) as a key. Start encryption from BLOCK(2)
       and end in BLOCK(N) with CBC mode. Use BLOCK(1) as an initialization vector.


    1. Decrypt from BLOCK(2) to BLOCK(N) with CBC mode. Use BLOCK(1) as a key.
    2. Decrypt from BLOCK(N-1) to BLOCK(1) with CBC mode. Use BLOCK(N) as a key.
    3. (Optional) Look up 0x80 from (L-BL) and direct to 0. When it found 0x80,
       clip the message from 0 to the position.


    - length of the message has to be equal or less than (L - BL - 1). 
      The -1 is only necessary when bit-padding-scheme is enabled.

    - L must always be a multiple of BL. For example, when the block-cipher
      algorithm is AES, L is always one of multiple of 16.

    There is an implementation by JavaScript. 


        SOAEP class implements interface PaddingScheme.
        See PaddingScheme.interface.txt
        class SOAEP()
            The main class.
        SOAEP.create( random, algorithm )
            A factory method.  Returns an instance of SOAEP class.

            Parameter random :
                An instance of SecureRandom class.
            Parameter algorithm :
                Pass an object from a result of Cipher.algorithm() method.
            Encode a message. 

            Parameter input : 
                A message which is an Array object that contains byte values
                of binary representation.
            Parameter length :
                Length that the encoded message is supposed to be.

            Decode a message. 

        SOAEP.maxsize( length )
            Calculate the maximum length of the internal message in which
            the encrypted message can contain.

            Parameter : length 
                Length that the encoded message supposed to be.

            Returns block size, namely BL. This method delegate the length
            of current cipher algorithm.

    I am not a cryptographer so I am not sure it is really secure.
    Especially I am not sure if it is dangerous to share a same random
    string by key and iv in the same session.  Further studying about this
    scheme is necessary.


// vim:ts=8:expandtab: