7

What RSA max block size which I can encrypt in one cycle?

And what is the maximum speed of the RSA algorithm with a 4096 bit key size?

Lii
  • 11,553
  • 8
  • 64
  • 88
lebron2323
  • 990
  • 2
  • 14
  • 29

1 Answers1

15

According to Lenstra's updated equations available on this site, the security level of a 4096 bit RSA key is matched by a cryptographic hash which is at least 248 bits long, for instance SHA-256.

If you use RSA OAEP (and you should), the amount of data you can encrypt at most is therefore modulus size - 2 - 2*hash size, which is 446 bytes.

With RSA PKCS#1 v1.5 you can encrypt at most modulus size - 11 bytes, but RSA PKCS#1 v1.5 provides less security (it is not provably secure, and the minimum number of random padding bytes should be extended to at least 16 bytes).

If you need to encrypt more data you should not simply chop it up and use RSA multiple times on each block. That is a security flaw. You must take a different approach, more precisely:

  1. Select a random 128 bit symmetric key.
  2. Use an authenticated mode of operation to encrypt your data (e.g. AES-128 GCM).
  3. Encrypt the symmetric key using RSA OAEP.

RSA encryption (unlike decryption) is pretty speedy, but the time is really dependent on the library and on the platform you use. For some reference, see cryptopp library's website.

softwariness
  • 4,022
  • 4
  • 33
  • 41
SquareRootOfTwentyThree
  • 7,606
  • 32
  • 43
  • 2
    @owlstead Good point about the correct verb to use, I edited the answer. For the integrity of the symmetric key protected by RSA encryption, OAEP does already provide integrity. In my opinion, it is not even necessary though, because of the authentication mode (which embeds a MAC) used later on. Maybe you meant authenticity (which this scheme does not provide)? – SquareRootOfTwentyThree Aug 06 '12 at 07:30
  • No I did mean integrity. But I was confused in the sense that padding oracle attacks on OAEP are only possible as *side channel attacks*, in other words, attacks on the implementation. – Maarten Bodewes Aug 11 '12 at 11:35
  • @SquareRootOfTwentyThree: do you have any reference that explains **why** the max size is `modulus size - 2 - 2*hash size`? – eckes Nov 21 '13 at 13:52
  • 3
    @SquareRootOfTwentyThree: finally found it self: http://www.ietf.org/rfc/rfc2437.txt, Section 7.1.1: > message to be encrypted, an octet string of length at most **k-2-2hLen**, where k is the length in octets of the modulus n and hLen is the length in octets of the hash function output for EME-OAEP – eckes Nov 21 '13 at 14:01
  • Been looking for this forever. Thank you! – suchislife Apr 09 '22 at 22:02