Abstract
Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-cipher-text attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes. In Crypto’ 98, LNCS 1462, pages 26–45. Springer-Verlag, Berlin, 1998.
M. Bellare and P. Rogaway. Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In Proc. of the 1st CCS, pages 62–73. ACM Press, New York, 1993.
M. Bellare and P. Rogaway. Optimal Asymmetric Encryption-How to Encrypt with RSA. In Eurocrypt’ 94, LNCS 950, pages 92–111. Springer-Verlag, Berlin, 1995.
D. Bleichenbacher. A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1. In Crypto’ 98, LNCS 1462, pages 1–12. Springer-Verlag, Berlin, 1998.
D. Coppersmith. Finding a Small Root of a Univariate Modular Equation. In Eurocrypt’ 96, LNCS 1070, pages 155–165. Springer-Verlag, Berlin, 1996.
D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, 30(2):391–437, 2000.
S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28:270–299, 1984.
C. Hall, I. Goldberg, and B. Schneier. Reaction Attacks Against Several Public-Key Cryptosystems. In Proc. of ICICS’99, LNCS, pages 2–12. Springer-Verlag, 1999.
M. Joye, J. J. Quisquater, and M. Yung. On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC. In CT-RSA’ 2001, LNCS 2020, pages 208–222. Springer-Verlag, Berlin, 2001.
M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In Proc. of the 22nd STOC, pages 427–437. ACM Press, New York, 1990.
T. Okamoto and D. Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform. In CT-RSA’ 2001, LNCS 2020, pages 159–175. Springer-Verlag, Berlin, 2001.
C. Rackoff and D. R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In Crypto’ 91, LNCS 576, pages 433–444. Springer-Verlag, Berlin, 1992.
R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
RSA Data Security, Inc. Public Key Cryptography Standards-PKCS.
V. Shoup. OAEP Reconsidered. In Crypto’ 2001, LNCS. Springer-Verlag, Berlin, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J. (2001). RSA-OAEP Is Secure under the RSA Assumption. In: Kilian, J. (eds) Advances in Cryptology — CRYPTO 2001. CRYPTO 2001. Lecture Notes in Computer Science, vol 2139. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44647-8_16
Download citation
DOI: https://doi.org/10.1007/3-540-44647-8_16
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42456-7
Online ISBN: 978-3-540-44647-7
eBook Packages: Springer Book Archive