Instantiability of RSA-OAEP under Chosen-Plaintext Attack

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash (i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “padding-based” encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a “fooling” condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satifies condition (1) if its hash function is t-wise independent for appopriate t and that RSA satisfies condition (2) under the Φ-Hiding Assumption of Cachin et al. (Eurocrypt 1999).

This appears to be the first non-trivial positive result about the instantiability of RSA-OAEP. In particular, it increases our confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).


Hash Function Encryption Scheme Random Oracle Random Oracle Model Plaintext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 143. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Barak, B., Shaltiel, R., Tromer, E.: True Random Number Generators Secure in a Changing Environment. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 166–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rompel, J.: Randomness-Efficient Oblivious Sampling. In: FOCS 1994. ACM, New York (1994)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: The Conference on Computer and Communications Security. ACM, New York (1993)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption: How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  6. 6.
    Boldyreva, A., Fehr, S., O’Neill, A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 335–359. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    Boldyreva, A., Fischlin, M.: Analysis of random oracle instantiation scenarios for OAEP and other practical schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 412–429. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Boldyreva, A., Fischlin, M.: On the security of OAEP. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Boneh, D.: Simplified OAEP for the RSA and Rabin functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 275. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Brown, D.: What hashes make RSA-OAEP secure? In: Cryptology ePrint Archive, Report 2006/223 (2006)Google Scholar
  11. 11.
    Boldyreva, A., Cash, C., Fischlin, M., Warinschi, B.: Efficient private bidding and auctions with an oblivious third party. In: ASIACRYPT 2009 (2009)Google Scholar
  12. 12.
    Cachin, C.: Efficient private bidding and auctions with an oblivious third party. In: CCS 1999. ACM, New York (1999)Google Scholar
  13. 13.
    Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 402. Springer, Heidelberg (1999), Google Scholar
  14. 14.
    Canetti, R.: Towards realizing random oracles: Hash functions that hide all partial information. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Canetti, R., Dakdouk, R.: Extractable Perfectly One-Way Functions. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 449–460. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions. In: STOC 1998. ACM, New York (1998)Google Scholar
  18. 18.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10 (1997)Google Scholar
  19. 19.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: New Attacks on PKCS #1 v1.5 Encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 369. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal Padding Schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 226. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the Generic Insecurity of the Full Domain Hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Dodis, Y., Smith, A.: Correcting errors without leaking partial information. In: STOC 2005. ACM Press, New York (2005)Google Scholar
  23. 23.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. J. Cryptology 17(2), 81–104 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Gentry, C., Mackenzie, P., Ramzan, Z.: Password authenticated key exchange using hidden smooth subgroups. In: CCS 2005. ACM, New York (2005)Google Scholar
  25. 25.
    Hemenway, B., Ostrovsky, R.: Public-key locally-decodable codes. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 126–143. Springer, Heidelberg (2008)Google Scholar
  26. 26.
    Kazukuni, K., Imai, H.: OAEP++: A Very Simple Way to Apply OAEP to Deterministic OW-CPA Primitives. In: Cryptology ePrint Archive, Report 2002/130 (2002)Google Scholar
  27. 27.
    Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under Chosen-Plaintexts Attacks. Full version of this paperGoogle Scholar
  28. 28.
    Kiltz, E., Pietrzak, K.: The Group of Signed Quadratic Residues and Applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653. Springer, Heidelberg (2009)Google Scholar
  29. 29.
    Kiltz, E., Pietrzak, K.: On the security of padding-based encryption schemes (or: Why we cannot prove OAEP secure in the standard model). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 389–406. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    Kiltz, E., Pietrzak, K.: Personal Communication (2009)Google Scholar
  31. 31.
    Lenstra, A.K.: Unbelievable security: Matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 67. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    May, A.: Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. In: LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)Google Scholar
  33. 33.
    Herrmann, M., May, A.: Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  34. 34.
    Paillier, P., Villar, J.: Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive One-Way Functions and Applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008)Google Scholar
  36. 36.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008. ACM, New York (2008)Google Scholar
  37. 37.
    RSA Laboratories Public-Key Cryptography Standards,
  38. 38.
    Rivest, R., Shamir, A., Adelman, L.: A method for obtaining public-key cryptosystems and digital signatures. Technical Report MIT/LCS/TM-82 (1977)Google Scholar
  39. 39.
    Rivest, R., Shamir, A., Adelman, L.: Cryptographic communications system and method. U.S. Patent 4,405,829 (1983)Google Scholar
  40. 40.
    Schridde, C., Freisleben, B.: On the validity of the Φ-Hiding Assumption in cryptographic protocols. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 344–354. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  41. 41.
    Shoup, V.: OAEP Reconsidered. J. Cryptology 15(4), 223–249 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  42. 42.
    Trevisan, L., Vadhan, S.: Extracting Randomness from Samplable Distributions. In: FOCS 2000. ACM, New York (2000)Google Scholar
  43. 43.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When Private Keys are Public: Results from the 2008 Debian OpenSSL Debacle. In: IMC 2009 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Centrum voor Wiskunde en InformaticaAmsterdamNetherlands
  2. 2.Georgia Institute of TechnologyAtlantaUSA
  3. 3.Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations