[Cryptech Tech] Specifications and test vectors for RSA

Rob Austein sra at hactrn.net
Fri Dec 5 11:15:05 UTC 2014


Joachim is starting to look at implementing RSA.  Current theory is
that the Verilog (blue) will just do the basic RSA transformation: key
generation and padding will be handled in software (green).

Some questions for people with more clue here than I:

* Do we want RFC 2437 (PKCS #1 2.0) or RFC 3447 (PKCS #1 2.1)?
  Some references from other specifications point at one, some point
  at the other, much of this is just due to relative ages of the specs
  but it's not immediately obvious that everything tracked.

* Did the wire representation of the PKCS1-v1_5 encoding algorithm
  change between these two specifications?  It looks like there's
  leading zero octet in 2.1 that's not present in 2.0, but maybe I'm
  reading it wrong?

* Which encoding algorithms do we need to support for DNSSEC and RPKI?
  DNSSEC seems fairly clear about PKCS1-v1_5, modulo the leading-zero
  question above.  RPKI doesn't nail this down quite so tightly; as a
  practical matter I think what's in use is PKCS1-v1_5, but that's not
  quite the same thing.

Also, Joachim sends a plea for test vectors, which he has not been
able to find.   Given the part of RSA that he thinks he's doing, this
means: please supply sample input to the RSA process with padding
already done, along with the corresponding expected output for a
supplied RSA keypair.   Plan is to collect a few of these, put them up
for scrutiny to make sure we believe that they're correct, then use
them as test vectors for the Verilog code.


More information about the Tech mailing list