hash rsa padding oaep
Updated Fri, 08 Jul 2022 04:56:27 GMT

In PKCS#1 V2.2, should MGF be based on the same hash function that RSA-OAEP-ENCRYPT uses?

In Section 7.1.1 of PKCS#1 v2.2 there are two options for RSAES-OAEP-Encrypt given:

  • Hash
  • MGF

Appendix B.2.1 of the same document states that MGF1 is based on a hash function.

Is MGF1 based on the same hash function that is chosen as an option for RSAES-OAEP-Encrypt, or is it a different hash function?

If they can be different, in what common implementations do they differ?


The first hash is only used to hash the label. Most of the time the label will simply be empty, which means that a constant value can be used, identified just by the hash algorithm itself.

Although the hash values may differ and may have any SHA-x value, they are generally set to SHA-1 - which is the default. Note that SHA-1 is considered secure for MGF-1. It's also save to use over an empty string. So generally the use of SHA-1 is no issue and there is little to no reason to use another hash algorithm.

So in general you'll find two kinds of implementations: ones that simply keep to the default at all times (SHA-1 twice) or those that are configurable, such as the one in Oracle's Java (or Bouncy Castle for that matter). The configurable ones also will keep to the default unless specified differently.

Until today all the OAEP implementations that I encountered default to SHA-1 for both, but I guess in this world there could be one that chooses a different hash (if just to avoid SHA-1 altogether).

Et voila, an "unbalanced" OAEP encryption (using Oracle's Java 8):

MGF1ParameterSpec mgfSpec = new MGF1ParameterSpec("SHA-256");
// the "label", currently encoded to zero bytes
PSource pSource = new PSource.PSpecified(new byte[0]);
OAEPParameterSpec oaepSpec = new OAEPParameterSpec("SHA-512", "MGF1", mgfSpec, pSource);
Cipher oaep = Cipher.getInstance("RSA/ECB/OAEPPadding");
oaep.init(Cipher.ENCRYPT_MODE, kp.getPublic(), oaepSpec);
byte[] nothingEncryptedReallyWell = oaep.doFinal();