How can I encrypt signature with RSA?

JothamB

12/29/23, 11:57 PM

I understand that from security perspective the sign-then-encrypt approach is the best.

I tried to implement it in Python with the cryptography package and I got this error: ValueError: Encryption/decryption failed.

This is not surprising. The maximum I can encrypt with RSA and OAEP padding is 190 bytes, but the signature alone is 256 bytes and there is the actual data I want to encrypt.

So if the maximum size I can encrypt is 190 bytes, how am I expected to encrypt 256 bytes signature + additional data?

And yet everybody is talking about sign-then-encrypt messages...

What am I missing here?

0 + 5

mentallurg

12/30/23, 1:23 AM

With RSA, you cannot encrypt data longer than the modulo. Nobody uses pure RSA encryption. Usually a *hybrid encryption* is used: The message is encrypted with symmetric encryption, and only the symmetric key is encrypted with RSA. See details here: [How can I use asymmetric encryption, such as RSA, to encrypt an arbitrary length of plaintext?](https://crypto.stackexchange.com/questions/14/how-can-i-use-asymmetric-encryption-such-as-rsa-to-encrypt-an-arbitrary-length)

JothamB

12/30/23, 9:48 AM

and i am aware of the methods to combine rsa with symmetric encryption. i can use it. i just wanted to know if there is a way to sign-then-encrypt using only rsa.

SAI Peregrinus

12/30/23, 2:20 PM

It's possible to treat RSAES-OAEP sort of like a block cipher, and break the message up into blocks smaller than the modulus, then encrypt each block in an AE-secure block cipher mode of operation (like GCM). That's thousands of times slower than just using an AE-secure block cipher for the encryption, so nobody does it, but it could be done.

JothamB

12/31/23, 3:01 PM

thank you SAI Peregrinus. thats what i did. and it is working. i have 2 questions: 1. is it appropriate to cascade rsa encrypted blocks aec-ecb style or is it necessary to include some kind of iv and xoring blocks ? 2. so if nobody uses it how can it be done ? what alternative do i have if i dont want to append plain text signature to the encrypted message ?

Maarten Bodewes

1/3/24, 12:47 AM

Not sure what you mean with *cascade* there, usually we reserve the term "cascade" when one operation modifies the input and another operation continues with the altered message. No, IV and XOR'ing blocks is not necessary, the OAEP padding will take care of the security. What do you mean: how can it be done? Split into 190 byte sections and encrypt, then concatenate the resulting ciphertext of 256 bytes. Decryption is split into 256 byte blocks and decrypt, concatenate the result.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I encrypt signature with RSA?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.