On the Security Properties of OAEP as an All-or-Nothing Transform

  • Victor Boyko
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)


This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary’s advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.

Key words

all-or-nothing transforms encryption modes OAEP random oracles polynomial indistinguishability semantic security exact security 

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Victor Boyko
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridgeUSA

Personalised recommendations