RSA-OAEP Is Secure under the RSA Assumption

  • Eiichiro Fujisaki
  • Tatsuaki Okamoto
  • David Pointcheval
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-cipher-text attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.


Hash Function Success Probability Random Oracle Random Oracle Model Security Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes. In Crypto’ 98, LNCS 1462, pages 26–45. Springer-Verlag, Berlin, 1998.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway. Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In Proc. of the 1st CCS, pages 62–73. ACM Press, New York, 1993.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. Optimal Asymmetric Encryption-How to Encrypt with RSA. In Eurocrypt’ 94, LNCS 950, pages 92–111. Springer-Verlag, Berlin, 1995.CrossRefGoogle Scholar
  4. 4.
    D. Bleichenbacher. A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1. In Crypto’ 98, LNCS 1462, pages 1–12. Springer-Verlag, Berlin, 1998.Google Scholar
  5. 5.
    D. Coppersmith. Finding a Small Root of a Univariate Modular Equation. In Eurocrypt’ 96, LNCS 1070, pages 155–165. Springer-Verlag, Berlin, 1996.Google Scholar
  6. 6.
    D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, 30(2):391–437, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28:270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS’99, LNCS, pages 2–12. Springer-Verlag, 1999.Google Scholar
  9. 9.
    M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT-RSA’ 2001, LNCS 2020, pages 208–222. Springer-Verlag, Berlin, 2001.CrossRefGoogle Scholar
  10. 10.
    M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In Proc. of the 22nd STOC, pages 427–437. ACM Press, New York, 1990.Google Scholar
  11. 11.
    T. Okamoto and D. Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In CT-RSA’ 2001, LNCS 2020, pages 159–175. Springer-Verlag, Berlin, 2001.CrossRefGoogle Scholar
  12. 12.
    C. Rackoff and D. R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In Crypto’ 91, LNCS 576, pages 433–444. Springer-Verlag, Berlin, 1992.Google Scholar
  13. 13.
    R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.Google Scholar
  14. 14.
    RSA Data Security, Inc. Public Key Cryptography Standards-PKCS.Google Scholar
  15. 15.
    V. Shoup. OAEP Reconsidered. In Crypto’ 2001, LNCS. Springer-Verlag, Berlin, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Eiichiro Fujisaki
    • 1
  • Tatsuaki Okamoto
    • 1
  • David Pointcheval
    • 2
  • Jacques Stern
    • 2
  1. 1.NTT LabsYokosuka-shiJapan
  2. 2.Dépt d’InformatiqueENS - CNRSParis Cedex 05France

Personalised recommendations