On the Security of OAEP

  • Alexandra Boldyreva
  • Marc Fischlin
Conference paper

DOI: 10.1007/11935230_14

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)
Cite this paper as:
Boldyreva A., Fischlin M. (2006) On the Security of OAEP. In: Lai X., Chen K. (eds) Advances in Cryptology – ASIACRYPT 2006. ASIACRYPT 2006. Lecture Notes in Computer Science, vol 4284. Springer, Berlin, Heidelberg


Currently, the best and only evidence of the security of the OAEP encryption scheme is a proof in the contentious random oracle model. Here we give further arguments in support of the security of OAEP. We first show that partial instantiations, where one of the two random oracles used in OAEP is instantiated by a function family, can be provably secure (still in the random oracle model). For various security statements about OAEP we specify sufficient conditions for the instantiating function families that, in some cases, are realizable through standard cryptographic primitives and, in other cases, may currently not be known to be achievable but appear moderate and plausible. Furthermore, we give the first non-trivial security result about fully instantiated OAEP in the standard model, where both oracles are instantiated simultaneously. Namely, we show that instantiating both random oracles in OAEP by modest functions implies non-malleability under chosen plaintext attacks for random messages. We also discuss the implications, especially of the full instantiation result, to the usage of OAEP for secure hybird encryption (as required in SSL/TLS, for example).

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Alexandra Boldyreva
    • 1
  • Marc Fischlin
    • 2
  1. 1.College of Computing, Georgia Institute of TechnologyUSA
  2. 2.Darmstadt University of TechnologyGermany

Personalised recommendations