8

What RSA max block size which I can encrypt in one cycle?

And what is the maximum speed of the RSA algorithm with a 4096 bit key size?

Improve this question

1 Answer 1

Reset to default
15

According to Lenstra's updated equations available on this site, the security level of a 4096 bit RSA key is matched by a cryptographic hash which is at least 248 bits long, for instance SHA-256.

If you use RSA OAEP (and you should), the amount of data you can encrypt at most is therefore modulus size - 2 - 2*hash size, which is 446 bytes.

With RSA PKCS#1 v1.5 you can encrypt at most modulus size - 11 bytes, but RSA PKCS#1 v1.5 provides less security (it is not provably secure, and the minimum number of random padding bytes should be extended to at least 16 bytes).

If you need to encrypt more data you should not simply chop it up and use RSA multiple times on each block. That is a security flaw. You must take a different approach, more precisely:

  1. Select a random 128 bit symmetric key.
  2. Use an authenticated mode of operation to encrypt your data (e.g. AES-128 GCM).
  3. Encrypt the symmetric key using RSA OAEP.

RSA encryption (unlike decryption) is pretty speedy, but the time is really dependent on the library and on the platform you use. For some reference, see cryptopp library's website.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@owlstead Good point about the correct verb to use, I edited the answer. For the integrity of the symmetric key protected by RSA encryption, OAEP does already provide integrity. In my opinion, it is not even necessary though, because of the authentication mode (which embeds a MAC) used later on. Maybe you meant authenticity (which this scheme does not provide)?
No I did mean integrity. But I was confused in the sense that padding oracle attacks on OAEP are only possible as side channel attacks, in other words, attacks on the implementation.
@SquareRootOfTwentyThree: do you have any reference that explains why the max size is modulus size - 2 - 2*hash size?
@SquareRootOfTwentyThree: finally found it self: ietf.org/rfc/rfc2437.txt, Section 7.1.1: > message to be encrypted, an octet string of length at most k-2-2hLen, where k is the length in octets of the modulus n and hLen is the length in octets of the hash function output for EME-OAEP

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.