Annual International Cryptology Conference

CRYPTO 1999: Advances in Cryptology — CRYPTO’ 99 pp 503-518

On the Security Properties of OAEP as an All-or-Nothing Transform

  • Victor Boyko
Conference paper

DOI: 10.1007/3-540-48405-1_32

Volume 1666 of the book series Lecture Notes in Computer Science (LNCS)


This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary’s advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.

Key words

all-or-nothing transformsencryption modesOAEPrandom oraclespolynomial indistinguishabilitysemantic securityexact security
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Victor Boyko
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridgeUSA