Article

Journal of Cryptology

, Volume 17, Issue 2, pp 81-104

First online:

RSA-OAEP Is Secure under the RSA Assumption

  • Eiichiro FujisakiAffiliated withNTT Labs, 1-1 Hikarino-oka, Yokosuka-shi 239-0847 Email author 
  • , Tatsuaki OkamotoAffiliated withNTT Labs, 1-1 Hikarino-oka, Yokosuka-shi 239-0847 Email author 
  • , David PointchevalAffiliated withDépartement d’Informatique, ENS – CNRS, 45 rue d’Ulm, 75230 Paris Cedex 05 Email author 
  • , Jacques SternAffiliated withDépartement d’Informatique, ENS – CNRS, 45 rue d’Ulm, 75230 Paris Cedex 05 Email author 

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) onewayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.

Public-key encryption Provable security RSA OAEP