"Signcryption" support (e.g. PSS-R)

[tarcieri]

We've had a few requests (#86, #186, #230) to support decrypting messages using a public key. Though this should be straightforward using any encryption padding as it's the reciprocal operation to public-key encryption, the desired operation in this case seems to be "signcryption", i.e. the public-key equivalent to authenticated encryption. See this comment for more information.

Bellare and Rogaway described a construction specifically for this purpose as an extension of RSASSA-PSS: Probabilistic Signature Scheme with Recovery (PSS-R) as described in Section 5 of: https://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf

(it's also known as EMSR-PSS as described in section 1.2 of this paper)

There are also a few other such schemes, such as ISO/IEC 9796-1 and 9796-2.

IEEE P1363 describes a specification for PSS-R.

[tarcieri]

The only open source library I'm aware of which implements PSS-R is Crypto++. We can potentially use it for interop testing:

https://github.com/weidai11/cryptopp/blob/master/pssr.h

However, I'm not sure what "flavor" of PSS-R it implements offhand or if it's remotely standard. If Crypto++ provides a nonstandard implementation, perhaps we should attempt to implement the IEEE P1363 flavor.

See also: http://www.weidai.com/scan-mirror/sig.html#sem_PSSR-MGF1

That mentions patents over PSS but to my knowledge those patents have expired, and if they hadn't would probably apply to our implementation of PSS as well.

[bajie-git]

Hello, are there any plans to support public key decryption and private key encryption now? Recently, I was doing data interaction with Java. The Standard library of Java provides the rsa public key decryption private key encryption scheme by default. It seems difficult to do this in Trust

[tarcieri]

@bajie-git is there a specific construction you're interested in?

[bajie-git]

@bajie-git is there a specific construction you're interested in?

Sorry, my English is not very good. I understand that you are asking me about API design. I hope it is better to provide corresponding encryption and decryption methods for both public and private keys.

    pub_key.encrypt(..);
    pub_key.decrypt(..);
    
    priv_key.encrypt(..);
    priv_key.decrypt(..);

I have tried to implement it myself based on source code, but I have failed. I am not very proficient in both rust and rsa algorithms

[tarcieri]

Sorry, that’s not what I was asking.

What algorithm or construction are you actually trying to implement? What goal are you trying to accomplish? At a high level, not “I want to encrypt with a public key”

Would PSS-R work for your use case, or are you trying to roll your own crypto?

[bajie-git]

Here is a simple implementation of using rsa to encrypt the returned data. Only the server saves a private key, and the public key is distributed across different clients. The server encrypts the data using the private key and returns it to the client.

[tarcieri]

In such a case you can give the server a public key, and then distribute the private keys to the clients, which would be the typical RSA workflow

[bajie-git]

Okay, I understand what you mean, but the private key can be derived from the public key, and the client is not trusted here, so this is also a problem for us. Overall, the method I use here is not the standard method for rsa. I will think of another way. Thank you for your reply

[Antosser]

The problem is that this is the only Rust library for RSA (thanks for that), which doesn't support private key encryption, while almost every other language does

[bajie-git]

The problem is that this is the only Rust library for RSA (thanks for that), which doesn't support private key encryption, while almost every other language does

I have the same feeling as you, especially when Wasm compilation requires this pure rust library. But I am not proficient in rust and rsa and cannot provide any effective code assistance.