# Instantiability of RSA-OAEP Under Chosen-Plaintext Attack

- 371 Downloads
- 2 Citations

## Abstract

We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ( i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the *standard model* based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “padding-based” encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a “fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently *lossy* as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is *t*-wise independent for *t* roughly proportional to the allowed message length. We clarify that this result requires the hash function to be keyed, and for its key to be included in the public key of RSA-OAEP. We also show that RSA satisfies condition (2) under the \(\Phi \)-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This is the first *positive* result about the instantiability of RSA-OAEP. In particular, it increases confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).

## Keywords

RSA OAEP Padding-based encryption Lossy trapdoor functions Leftover hash lemma Standard model## Notes

### Acknowledgments

We thank Mihir Bellare, Alexandra Boldyreva, Dan Brown, Yevgeniy Dodis, Mathias Herrmann, Jason Hinek, Arjen Lenstra, Alex May, Phil Rogaway, and the anonymous reviewers of Crypto 2010 and the Journal of Cryptology for helpful comments. In particular, we thank Dan for reminding us of [16, Remark2,p. 6], Alex and Mathias for pointing out the improved attacks in Sect. 5.3, Phil for encouraging us to consider the case of small *e* more closely and for telling us that KI security as defined in Appendix 8 was previously considered by [44], and Yevgeniy for suggesting the statement of Lemma 4.5 (our original lemma was specific to OAEP).

Part of this work was done, while E.K. was at CWI, Amsterdam. E.K. is funded by ERC Project ERCC (FP7/615074) and the German Federal Ministry for Education and Research. Part of this work was done while A.O. was at Georgia Institute of Technology, supported in part by NSF award #0545659 and NSF Cyber Trust award #0831184. A.S. was supported in part by NSF awards #0747294, 0729171.

Eike Kiltz was partially supported by DFG grant KI 795/4-1 and ERC Project ERCC (FP7/615074). Adam Smith was funded by US National Science Foundation award CCF-0747294.

## References

- 1.M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in D. Naccache, editor,
*CT-RSA 2001*. LNCS, vol. 2020 (Springer, Heidelberg, April 2001), pp. 143–158Google Scholar - 2.B. Barak, R. Shaltiel, E. Tromer, True random number generators secure in a changing environment, in C.D. Walter, Ç.K. Koç, C. Paar, editors,
*CHES 2003*. LNCS, vol. 2779 (Springer, Heidelberg, September 2003), pp. 166–180Google Scholar - 3.M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in A. Menezes, editor,
*CRYPTO 2007*. LNCS, vol. 4622 (Springer, Heidelberg, August 2007), pp. 535–552Google Scholar - 4.M. Bellare, V.T. Hoang, S. Keelveedhi, Instantiating random oracles via UCEs, in R. Canetti, J.A. Garay, editors,
*CRYPTO 2013, Part II*. LNCS, vol. 8043 (Springer, Heidelberg, August 2013), pp. 398–415Google Scholar - 5.M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in P.J. Lee, editor,
*ASIACRYPT 2004*. LNCS, vol. 3329 (Springer, Heidelberg, December 2004), pp. 48–62Google Scholar - 6.M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. in V. Ashby, editor,
*ACM CCS 93*. (ACM Press, November 1993), pp. 62–73Google Scholar - 7.M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A. De Santis, editor,
*EUROCRYPT’94*. LNCS, vol. 950 (Springer, Heidelberg, May 1995), pp. 92–111Google Scholar - 8.M. Bellare, J. Rompel, Randomness-efficient oblivious sampling, in
*35th FOCS*. (IEEE Computer Society Press, November 1994), pp. 276–287Google Scholar - 9.M. Blum, P. Feldman, S. Micali, Proving security against chosen cyphertext attacks, in S. Goldwasser, editor,
*CRYPTO’88*. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 256–268Google Scholar - 10.A. Boldyreva, D. Cash, M. Fischlin, B. Warinschi, Foundations of non-malleable hash and one-way functions, in M. Matsui, editor,
*ASIACRYPT 2009*. LNCS, vol. 5912 (Springer, Heidelberg, December 2009), pp. 524–541Google Scholar - 11.A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in D. Wagner, editor,
*CRYPTO 2008*. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 335–359Google Scholar - 12.A. Boldyreva, M. Fischlin, Analysis of random oracle instantiation scenarios for OAEP and other practical schemes, in V. Shoup, editor,
*CRYPTO 2005*. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 412–429Google Scholar - 13.A. Boldyreva, M. Fischlin, On the security of OAEP, in X. Lai, K. Chen, editors,
*ASIACRYPT 2006*. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 210–225Google Scholar - 14.D. Boneh, Simplified OAEP for the RSA and Rabin functions, in J. Kilian, editor,
*CRYPTO 2001*. LNCS, vol. 2139 (Springer, Heidelberg, August 2001), pp. 275–291Google Scholar - 15.D.R.L. Brown, What hashes make RSA-OAEP secure? Cryptology ePrint Archive. Report 2006/223. http://eprint.iacr.org/ (2006)
- 16.C. Cachin, Efficient private bidding and auctions with an oblivious third party, in
*ACM CCS 99*. (ACM Press, November 1999), pp. 120–127Google Scholar - 17.C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in J. Stern, editor,
*EUROCRYPT’99*. LNCS, vol. 1592 (Springer, Heidelberg, May 1999), pp. 402–414Google Scholar - 18.R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in B.S. Kaliski Jr., editor,
*CRYPTO’97*. LNCS, vol. 1294 (Springer, Heidelberg, August 1997), pp. 455–469Google Scholar - 19.R. Canetti, R.R. Dakdouk, Extractable perfectly one-way functions, in L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors,
*ICALP 2008, Part II*. LNCS, vol. 5126 (Springer, Heidelberg, July 2008), pp. 449–460Google Scholar - 20.R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited.
*J. ACM*,**51**(4), 557–594 (2004)Google Scholar - 21.R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (preliminary version), in
*30th ACM STOC*. (ACM Press, May 1998), pp. 131–140MathSciNetCrossRefzbMATHGoogle Scholar - 22.D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities.
*J. Cryptol.*,**10**(4), 233–260 (1997)Google Scholar - 23.J.-S. Coron, M. Joye, D. Naccache, P. Paillier, New attacks on PKCS#1 v1.5 encryption, in B. Preneel, editor,
*EUROCRYPT 2000*. LNCS, vol. 1807 (Springer, Heidelberg, May 2000), pp. 369–381Google Scholar - 24.J.-S. Coron, M. Joye, D. Naccache, P. Paillier, Universal padding schemes for RSA, in M. Yung, editor,
*CRYPTO 2002*. LNCS, vol. 2442 (Springer, Heidelberg, August 2002), pp. 226–241Google Scholar - 25.Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in V. Shoup, editor,
*CRYPTO 2005*. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 449–466Google Scholar - 26.Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in B. Pfitzmann, editor,
*EUROCRYPT 2001*. LNCS, vol. 2045 (Springer, Heidelberg, May 2001), pp. 301–324Google Scholar - 27.Y. Dodis, A. Smith, Correcting errors without leaking partial information, in H.N. Gabow, R. Fagin, editors,
*37th ACM STOC*. (ACM Press, May 2005), pp. 654–663Google Scholar - 28.D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions.
*J. Cryptol.*,**26**(1), 39–74 (2013)Google Scholar - 29.E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP is secure under the RSA assumption.
*J. Cryptol.*,**17**(2), 81–104 (2004)Google Scholar - 30.C. Gentry, P.D. Mackenzie, Z. Ramzan, Password authenticated key exchange using hidden smooth subgroups, in V. Atluri, C. Meadows, A. Juels, editors,
*ACM CCS 05*. (ACM Press, November 2005), pp. 299–309CrossRefzbMATHGoogle Scholar - 31.O. Goldreich,
*Foundations of Cryptography: Basic Applications*, vol. 2 (Cambridge University Press, Cambridge, UK, 2004)Google Scholar - 32.S. Goldwasser, S. Micali, Probabilistic encryption.
*J. Comput. Syst. Sci.*,**28**(2), 270–299 (1984)Google Scholar - 33.B. Harris, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432Google Scholar
- 34.B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in D. Wagner, editor,
*CRYPTO 2008*. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 126–143Google Scholar - 35.B. Hemenway, R. Ostrovsky, A. Rosen, Non-committing encryption from \(\phi \)-hiding, in Y. Dodis, J.B. Nielsen, editors,
*TCC 2015, Part I*. LNCS, vol. 9014 of (Springer, Heidelberg, March 2015), pp. 591–608Google Scholar - 36.M. Herrmann, Improved cryptanalysis of the multi-prime \(\phi \)-hiding assumption. in A. Nitaj, D. Pointcheval, editors,
*AFRICACRYPT 11*. LNCS, vol. 6737 (Springer, Heidelberg, July 2011), pp. 92–99Google Scholar - 37.D. Hofheinz, E. Kiltz, The group of signed quadratic residues and applications, in S. Halevi, editor,
*CRYPTO 2009*. LNCS, vol. 5677 (Springer, Heidelberg, August 2009), pp. 637–653Google Scholar - 38.E. Kiltz, K. Pietrzak, Personal communication (2009)Google Scholar
- 39.E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in T. Rabin, editor,
*CRYPTO 2010*. LNCS, vol. 6223 (Springer, Heidelberg, August 2010), pp. 295–313Google Scholar - 40.E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes- or -why we cannot prove OAEP secure in the standard model, in A. Joux, editor,
*EUROCRYPT 2009*. LNCS, vol. 5479 (Springer, Heidelberg, April 2009), pp. 389–406Google Scholar - 41.K. Kobara, H. Imai, OAEP++ : a very simple way to apply oaep to deterministic ow-cpa primitives. Cryptology ePrint Archive, Report 2002/130. http://eprint.iacr.org/ (2002)
- 42.A.K. Lenstra, Unbelievable security. Matching AES security using public key systems (invited talk), in C. Boyd, editor,
*ASIACRYPT 2001*. LNCS, vol. 2248 (Springer, Heidelberg, December 2001), pp. 67–86Google Scholar - 43.M. Lewko, A. O’Neill, A. Smith, Regularity of lossy RSA on subdomains and its applications, in T. Johansson, P.Q. Nguyen, editors,
*EUROCRYPT 2013*. LNCS, vol. 7881 (Springer, Heidelberg, May 2013), pp. 55–75Google Scholar - 44.A. May, Using lll-reduction for solving rsa and factorization problems: a survey, in
*LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm*(2007)Google Scholar - 45.S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosystems, in A.M. Odlyzko, editor,
*CRYPTO’86*. LNCS, vol. 263 (Springer, Heidelberg, August 1987), pp. 381–392Google Scholar - 46.P. Mol, S. Yilek, Chosen-ciphertext security from slightly lossy trapdoor functions, in P.Q. Nguyen, D. Pointcheval, editors,
*PKC 2010*. LNCS, vol. 6056 (Springer, Heidelberg, May 2010), pp. 296–311MathSciNetCrossRefzbMATHGoogle Scholar - 47.N. Nisan, D. Zuckerman, Randomness is linear in space.
*J. Comput. Syst. Sci.*,**52**(1), 43–52 (1996)Google Scholar - 48.P. Paillier, J.L. Villar, Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in X. Lai, K. Chen, editors,
*ASIACRYPT 2006*. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 252–266Google Scholar - 49.O. Pandey, R. Pass, V. Vaikuntanathan, Adaptive one-way functions and applications, in D. Wagner, editor,
*CRYPTO 2008*. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 57–74MathSciNetCrossRefzbMATHGoogle Scholar - 50.C. Peikert, B. Waters, Lossy trapdoor functions and their applications.
*SIAM J. Comput.*,**40**(6), 1803–1844 (2011)Google Scholar - 51.Rsa public-key cryptography standards (pkcs). http://www.rsa.com/rsalabs/node.asp?id=2124
- 52.M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical report (1979)Google Scholar
- 53.C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in J. Feigenbaum, editor,
*CRYPTO’91*. LNCS. vol. 576 (Springer, Heidelberg, August 1992), pp. 433–444Google Scholar - 54.R.L. Rivest, A. Shamir, L. Adelman, U.S. patent 4405829: cryptographic communications system and methodGoogle Scholar
- 55.R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining public-key cryptosystems and digital signatures. Technical Memo MIT/LCS/TM-82, Massachusetts Institute of Technology, Laboratory for Computer Science (1977)Google Scholar
- 56.C. Schridde, B. Freisleben, On the validity of the phi-hiding assumption in cryptographic protocols, in J. Pieprzyk, editor,
*ASIACRYPT 2008*. LNCS, vol. 5350 (Springer, Heidelberg, December 2008), pp. 344–354Google Scholar - 57.Y. Seurin, On the lossiness of the Rabin trapdoor function, in H. Krawczyk, editor,
*PKC 2014*. LNCS, vol. 8383 (Springer, Heidelberg, March 2014), pp. 380–398Google Scholar - 58.
- 59.A. Smith, Y. Zhang, On the regularity of lossy RSA—improved bounds and applications to padding-based encryption, in Y. Dodis, J.B. Nielsen, editors,
*TCC 2015, Part I*. LNCS, vol. 9014 (Springer, Heidelberg, March 2015), pp. 609–628Google Scholar - 60.K. Tosu, N. Kunihiro, Optimal bounds for multi-prime phi-hiding assumption, in
*Information Security and Privacy—17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, July 9–11, 2012. Proceedings*(2012), pp. 1–14Google Scholar - 61.L. Trevisan, S.P. Vadhan, Extracting randomness from samplable distributions, in
*41st FOCS*(IEEE Computer Society Press, November 2000), pp. 32–42Google Scholar - 62.M.N. Wegman, L. Carter, New hash functions and their use in authentication and set equality.
*J. Comput. Syst. Sci.***22**(3), 265–279 (1981)Google Scholar - 63.S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability, in
*Internet Measurement Conference*Google Scholar - 64.P. Zimmerman, Integer factoring records. http://www.loria.fr/~zimmerma/records/factor.html