RSA encryption output size

Question

What is RSA encryption output size when using 2048 bit key and pkcs1padding.

Is it always 256 bytes independent of input size?

How can i calculate it for oth

Answer 1

The output (as integer) of RSAEP (RSA encryption primitive) is always between 0 and n:

1. If the message representative m is not between 0 and n-1, output message representative out of range and stop.

2. Let c = m^e mod n.

3. Output c.

Of course, c is a number. So you have to convert it to bytes for it to be usable. The only thing known about c is that it is smaller than n for a large value of m. It may be that c is a few bytes smaller even if m is large.

---

You've mentioned PKCS1Padding, which is part of the RSAES-PKCS1-V1_5-ENCRYPT encryption scheme. The padding will make sure that m is always large and randomized; requirements for RSA encryption to be secure.

You'll find that the encoding of c is specified in there:

...

Step 4: Convert the ciphertext representative c to a ciphertext C of length k octets: C = I2OSP (c, k)

...

where k is the size of the modulus in octets (bytes).

So yes, the answer is always k, the size of the modulus in bytes. Simply because the standard requires it that way. It is a value encoded as unsigned big endian number prefixed with as many zero bytes as required.

---

Notes:

• the modulus size defines the key size. So the output of an RSA encryption is the same as the key size: ceil(keySize / 8.0) using floats or (keySize + 8 - 1) / 8 using integers.

• RSA with OAEP padding uses the same technique, so the answer is correct for OAEP as well (and most other, less known schemes such as RSA-KEM).

• Many library routines that perform "raw" RSA (just modular exponentiation of the message with the public exponent) still perform the I2OSP function - but better check to make sure.