Abstract
Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) onewayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
Article PDF
Similar content being viewed by others
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Fujisaki, E., Okamoto, T., Pointcheval, D. et al. RSA-OAEP Is Secure under the RSA Assumption. J Cryptol 17, 81–104 (2004). https://doi.org/10.1007/s00145-002-0204-y
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-002-0204-y