Advances in Cryptology - ASIACRYPT 2008

Volume 5350 of the series Lecture Notes in Computer Science pp 506-523

OAEP Is Secure under Key-Dependent Messages

  • Michael BackesAffiliated withSaarland UniversityMax-Planck-Institute for Software Systems
  • , Markus DürmuthAffiliated withSaarland University
  • , Dominique UnruhAffiliated withSaarland University


Key-dependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. We extend this definition to include the cases of adaptive corruptions and arbitrary active attacks, called adKDM security incorporating several novel design choices and substantially differing from prior definitions for public-key security. We also show that the OAEP encryption scheme (using a partial-domain one-way function) satisfies the strong notion of adKDM security in the random oracle model.The OAEP construction thus constitutes a suitable candidate for implementating symbolic abstractions of encryption schemes in a computationally sound manner under active adversaries.


Key-dependent message security chosen ciphertext attacks RSA-OAEP