Journal of Cryptology

, Volume 30, Issue 3, pp 889–919 | Cite as

Instantiability of RSA-OAEP Under Chosen-Plaintext Attack

  • Eike KiltzEmail author
  • Adam O’Neill
  • Adam Smith


We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ( i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “padding-based” encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a “fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is t-wise independent for t roughly proportional to the allowed message length. We clarify that this result requires the hash function to be keyed, and for its key to be included in the public key of RSA-OAEP. We also show that RSA satisfies condition (2) under the \(\Phi \)-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This is the first positive result about the instantiability of RSA-OAEP. In particular, it increases confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).


RSA OAEP Padding-based encryption Lossy trapdoor functions Leftover hash lemma Standard model 



We thank Mihir Bellare, Alexandra Boldyreva, Dan Brown, Yevgeniy Dodis, Mathias Herrmann, Jason Hinek, Arjen Lenstra, Alex May, Phil Rogaway, and the anonymous reviewers of Crypto 2010 and the Journal of Cryptology for helpful comments. In particular, we thank Dan for reminding us of [16, Remark2,p. 6], Alex and Mathias for pointing out the improved attacks in Sect. 5.3, Phil for encouraging us to consider the case of small e more closely and for telling us that KI security as defined in Appendix 8 was previously considered by [44], and Yevgeniy for suggesting the statement of Lemma 4.5 (our original lemma was specific to OAEP).

      Part of this work was done, while E.K. was at CWI, Amsterdam. E.K. is funded by ERC Project ERCC (FP7/615074) and the German Federal Ministry for Education and Research. Part of this work was done while A.O. was at Georgia Institute of Technology, supported in part by NSF award #0545659 and NSF Cyber Trust award #0831184. A.S. was supported in part by NSF awards #0747294, 0729171.

      Eike Kiltz was partially supported by DFG grant KI 795/4-1 and ERC Project ERCC (FP7/615074). Adam Smith was funded by US National Science Foundation award CCF-0747294.


  1. 1.
    M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in D. Naccache, editor, CT-RSA 2001. LNCS, vol. 2020 (Springer, Heidelberg, April 2001), pp. 143–158Google Scholar
  2. 2.
    B. Barak, R. Shaltiel, E. Tromer, True random number generators secure in a changing environment, in C.D. Walter, Ç.K. Koç, C. Paar, editors, CHES 2003. LNCS, vol. 2779 (Springer, Heidelberg, September 2003), pp. 166–180Google Scholar
  3. 3.
    M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in A. Menezes, editor, CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, August 2007), pp. 535–552Google Scholar
  4. 4.
    M. Bellare, V.T. Hoang, S. Keelveedhi, Instantiating random oracles via UCEs, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part II. LNCS, vol. 8043 (Springer, Heidelberg, August 2013), pp. 398–415Google Scholar
  5. 5.
    M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in P.J. Lee, editor, ASIACRYPT 2004. LNCS, vol. 3329 (Springer, Heidelberg, December 2004), pp. 48–62Google Scholar
  6. 6.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. in V. Ashby, editor, ACM CCS 93. (ACM Press, November 1993), pp. 62–73Google Scholar
  7. 7.
    M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A. De Santis, editor, EUROCRYPT’94. LNCS, vol. 950 (Springer, Heidelberg, May 1995), pp. 92–111Google Scholar
  8. 8.
    M. Bellare, J. Rompel, Randomness-efficient oblivious sampling, in 35th FOCS. (IEEE Computer Society Press, November 1994), pp. 276–287Google Scholar
  9. 9.
    M. Blum, P. Feldman, S. Micali, Proving security against chosen cyphertext attacks, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 256–268Google Scholar
  10. 10.
    A. Boldyreva, D. Cash, M. Fischlin, B. Warinschi, Foundations of non-malleable hash and one-way functions, in M. Matsui, editor, ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, December 2009), pp. 524–541Google Scholar
  11. 11.
    A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 335–359Google Scholar
  12. 12.
    A. Boldyreva, M. Fischlin, Analysis of random oracle instantiation scenarios for OAEP and other practical schemes, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 412–429Google Scholar
  13. 13.
    A. Boldyreva, M. Fischlin, On the security of OAEP, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 210–225Google Scholar
  14. 14.
    D. Boneh, Simplified OAEP for the RSA and Rabin functions, in J. Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, Heidelberg, August 2001), pp. 275–291Google Scholar
  15. 15.
    D.R.L. Brown, What hashes make RSA-OAEP secure? Cryptology ePrint Archive. Report 2006/223. (2006)
  16. 16.
    C. Cachin, Efficient private bidding and auctions with an oblivious third party, in ACM CCS 99. (ACM Press, November 1999), pp. 120–127Google Scholar
  17. 17.
    C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in J. Stern, editor, EUROCRYPT’99. LNCS, vol. 1592 (Springer, Heidelberg, May 1999), pp. 402–414Google Scholar
  18. 18.
    R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in B.S. Kaliski Jr., editor, CRYPTO’97. LNCS, vol. 1294 (Springer, Heidelberg, August 1997), pp. 455–469Google Scholar
  19. 19.
    R. Canetti, R.R. Dakdouk, Extractable perfectly one-way functions, in L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors, ICALP 2008, Part II. LNCS, vol. 5126 (Springer, Heidelberg, July 2008), pp. 449–460Google Scholar
  20. 20.
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM, 51(4), 557–594 (2004)Google Scholar
  21. 21.
    R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (preliminary version), in 30th ACM STOC. (ACM Press, May 1998), pp. 131–140MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol., 10(4), 233–260 (1997)Google Scholar
  23. 23.
    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, New attacks on PKCS#1 v1.5 encryption, in B. Preneel, editor, EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Heidelberg, May 2000), pp. 369–381Google Scholar
  24. 24.
    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, Universal padding schemes for RSA, in M. Yung, editor, CRYPTO 2002. LNCS, vol. 2442 (Springer, Heidelberg, August 2002), pp. 226–241Google Scholar
  25. 25.
    Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 449–466Google Scholar
  26. 26.
    Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in B. Pfitzmann, editor, EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Heidelberg, May 2001), pp. 301–324Google Scholar
  27. 27.
    Y. Dodis, A. Smith, Correcting errors without leaking partial information, in H.N. Gabow, R. Fagin, editors, 37th ACM STOC. (ACM Press, May 2005), pp. 654–663Google Scholar
  28. 28.
    D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions. J. Cryptol., 26(1), 39–74 (2013)Google Scholar
  29. 29.
    E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP is secure under the RSA assumption. J. Cryptol., 17(2), 81–104 (2004)Google Scholar
  30. 30.
    C. Gentry, P.D. Mackenzie, Z. Ramzan, Password authenticated key exchange using hidden smooth subgroups, in V. Atluri, C. Meadows, A. Juels, editors, ACM CCS 05. (ACM Press, November 2005), pp. 299–309CrossRefzbMATHGoogle Scholar
  31. 31.
    O. Goldreich, Foundations of Cryptography: Basic Applications, vol. 2 (Cambridge University Press, Cambridge, UK, 2004)Google Scholar
  32. 32.
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci., 28(2), 270–299 (1984)Google Scholar
  33. 33.
    B. Harris, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432Google Scholar
  34. 34.
    B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 126–143Google Scholar
  35. 35.
    B. Hemenway, R. Ostrovsky, A. Rosen, Non-committing encryption from \(\phi \)-hiding, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 of (Springer, Heidelberg, March 2015), pp. 591–608Google Scholar
  36. 36.
    M. Herrmann, Improved cryptanalysis of the multi-prime \(\phi \)-hiding assumption. in A. Nitaj, D. Pointcheval, editors, AFRICACRYPT 11. LNCS, vol. 6737 (Springer, Heidelberg, July 2011), pp. 92–99Google Scholar
  37. 37.
    D. Hofheinz, E. Kiltz, The group of signed quadratic residues and applications, in S. Halevi, editor, CRYPTO 2009. LNCS, vol. 5677 (Springer, Heidelberg, August 2009), pp. 637–653Google Scholar
  38. 38.
    E. Kiltz, K. Pietrzak, Personal communication (2009)Google Scholar
  39. 39.
    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in T. Rabin, editor, CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, August 2010), pp. 295–313Google Scholar
  40. 40.
    E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes- or -why we cannot prove OAEP secure in the standard model, in A. Joux, editor, EUROCRYPT 2009. LNCS, vol. 5479 (Springer, Heidelberg, April 2009), pp. 389–406Google Scholar
  41. 41.
    K. Kobara, H. Imai, OAEP++ : a very simple way to apply oaep to deterministic ow-cpa primitives. Cryptology ePrint Archive, Report 2002/130. (2002)
  42. 42.
    A.K. Lenstra, Unbelievable security. Matching AES security using public key systems (invited talk), in C. Boyd, editor, ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Heidelberg, December 2001), pp. 67–86Google Scholar
  43. 43.
    M. Lewko, A. O’Neill, A. Smith, Regularity of lossy RSA on subdomains and its applications, in T. Johansson, P.Q. Nguyen, editors, EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Heidelberg, May 2013), pp. 55–75Google Scholar
  44. 44.
    A. May, Using lll-reduction for solving rsa and factorization problems: a survey, in LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)Google Scholar
  45. 45.
    S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosystems, in A.M. Odlyzko, editor, CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, August 1987), pp. 381–392Google Scholar
  46. 46.
    P. Mol, S. Yilek, Chosen-ciphertext security from slightly lossy trapdoor functions, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010. LNCS, vol. 6056 (Springer, Heidelberg, May 2010), pp. 296–311MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    N. Nisan, D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci., 52(1), 43–52 (1996)Google Scholar
  48. 48.
    P. Paillier, J.L. Villar, Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 252–266Google Scholar
  49. 49.
    O. Pandey, R. Pass, V. Vaikuntanathan, Adaptive one-way functions and applications, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 57–74MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput., 40(6), 1803–1844 (2011)Google Scholar
  51. 51.
    Rsa public-key cryptography standards (pkcs).
  52. 52.
    M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical report (1979)Google Scholar
  53. 53.
    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in J. Feigenbaum, editor, CRYPTO’91. LNCS. vol. 576 (Springer, Heidelberg, August 1992), pp. 433–444Google Scholar
  54. 54.
    R.L. Rivest, A. Shamir, L. Adelman, U.S. patent 4405829: cryptographic communications system and methodGoogle Scholar
  55. 55.
    R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining public-key cryptosystems and digital signatures. Technical Memo MIT/LCS/TM-82, Massachusetts Institute of Technology, Laboratory for Computer Science (1977)Google Scholar
  56. 56.
    C. Schridde, B. Freisleben, On the validity of the phi-hiding assumption in cryptographic protocols, in J. Pieprzyk, editor, ASIACRYPT 2008. LNCS, vol. 5350 (Springer, Heidelberg, December 2008), pp. 344–354Google Scholar
  57. 57.
    Y. Seurin, On the lossiness of the Rabin trapdoor function, in H. Krawczyk, editor, PKC 2014. LNCS, vol. 8383 (Springer, Heidelberg, March 2014), pp. 380–398Google Scholar
  58. 58.
    V. Shoup, OAEP reconsidered. J. Cryptol., 15(4), 223–249 (2002)Google Scholar
  59. 59.
    A. Smith, Y. Zhang, On the regularity of lossy RSA—improved bounds and applications to padding-based encryption, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 (Springer, Heidelberg, March 2015), pp. 609–628Google Scholar
  60. 60.
    K. Tosu, N. Kunihiro, Optimal bounds for multi-prime phi-hiding assumption, in Information Security and Privacy—17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, July 9–11, 2012. Proceedings (2012), pp. 1–14Google Scholar
  61. 61.
    L. Trevisan, S.P. Vadhan, Extracting randomness from samplable distributions, in 41st FOCS (IEEE Computer Society Press, November 2000), pp. 32–42Google Scholar
  62. 62.
    M.N. Wegman, L. Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)Google Scholar
  63. 63.
    S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability, in Internet Measurement Conference Google Scholar
  64. 64.
    P. Zimmerman, Integer factoring records.

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Ruhr-Universität BochumBochumGermany
  2. 2.Georgetown UniversityWashingtonUSA
  3. 3.Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations