# OAEP Reconsidered

@article{Shoup2002OAEPR, title={OAEP Reconsidered }, author={Victor Shoup}, journal={Journal of Cryptology}, year={2002}, volume={15}, pages={223-249} }

Abstract. The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First…

## Topics from this paper

## 47 Citations

OAEP Reconsidered

- Computer ScienceCRYPTO
- 2000

It turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

Instantiability of RSA-OAEP under Chosen-Plaintext Attack

- Mathematics, Computer ScienceCRYPTO
- 2010

It is shown that the widely deployed RSA-OAEP encryption scheme, which combines RSA with two rounds of an underlying Feistel network whose hash functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, andnon-interdependent assumptions on RSA and the hash functions.

Toward RSA-OAEP Without Random Oracles

- Computer SciencePublic Key Cryptography
- 2020

New partial and full instantiation results under chosen-ciphertext security for the widely implemented and standardized RSA-OAEP encryption scheme of Bellare and Rogaway and two variants are shown.

What Hashes Make RSA-OAEP Secure?

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2006

A pathological hash function choice that makes RSA-OAEP insecure is demonstrated and certain types of reductions that could be used to prove the OW-CPA (i.e., the bare minimum) security of RSA-oaEP are considered.

Provably Secure Identity-Based Identification Schemes and Transitive Signatures

- Computer Science
- 2004

A general framework of security-preserving transformations between related primitives is presented and used as a tool to prove the security of schemes from 13 different “families” that were proposed in the literature over the last two decades, but that lacked a security proof prior to this work.

On the Selective Opening Security of Practical Public-Key Encryption Schemes

- Computer SciencePublic Key Cryptography
- 2015

It is shown that two well-known and widely employed public-key encryption schemes – RSA Optimal Asymmetric Encryption Padding and Diffie-Hellman Integrated Encryption Standard – are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model.

Signcryption schemes with insider security in an ideal permutation model

- Mathematics, Computer ScienceJ. Math. Cryptol.
- 2019

This work designs a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure, and proves the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature.

Enhanced Certificate-Based Encryption from pairings

- Mathematics, Computer ScienceComput. Electr. Eng.
- 2011

This paper shows that the proposed enhanced Certificate-Based Encryption scheme from pairings in the chosen-key model is semantically secure against adaptive chosen ciphertext attacks in the random oracle model under the Bilinear Diffie-Hellman (BDH) assumption.

A Novel Proof of Shuffle: Exponentially Secure Cut-and-Choose

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This work proposes a generic compiler which can transform any “shuffle-compatible” Σ-protocol (including, among others, Σ -protocols for re-randomization, decryption, or key shifting) into a Σ'-protocol for permutations of the underlying relation.

Computationally sound automated proofs of cryptographic schemes

- Computer Science
- 2012

It is shown that under some conditions, security in that non-cryptographic model implies security in a common cryptographic one, the Bellare-Rogaway model, which enables one to use that existing tool, which was designed to work with a different type of model, to achieve security proofs of public-key-based key exchange protocols in a cryptographic model.

## References

SHOWING 1-10 OF 18 REFERENCES

RSA-OAEP Is Secure under the RSA Assumption

- Computer ScienceJournal of Cryptology
- 2002

It is proved that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.

Simplified OAEP for the RSA and Rabin Functions

- Mathematics, Computer ScienceCRYPTO
- 2001

It is shown that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model and that only one round of a Feistel network is sufficient.

Relations among Notions of Security for Public-Key Encryption Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 1998

The goals of privacy and non-malleability are considered, each under chosen plaintext attack and two kinds of chosen ciphertext attack, and a new definition of non-Malleability is proposed which the author believes is simpler than the previous one.

The random oracle methodology, revisited (preliminary version)

- Computer ScienceSTOC '98
- 1998

There exist signature and encryption schemes which are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.

The random oracle methodology, revisited

- Mathematics, Computer ScienceJACM
- 2004

There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.

Random oracles are practical: a paradigm for designing efficient protocols

- Computer ScienceCCS '93
- 1993

It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.

Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack

- Mathematics, Computer ScienceCRYPTO
- 1991

A formalization of chosen ciphertext attack is given in the model which is stronger than the "lunchtime attack" considered by Naor and Yung, and it is proved a non-interactive public-key cryptosystem based on non-Interactive zero-knowledge proof of knowledge to be secure against it.

A method for obtaining digital signatures and public-key cryptosystems

- Computer ScienceCACM
- 1983

An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important…

Optimal Asymmetric Encryption

- Computer ScienceEUROCRYPT
- 1994

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)

- Computer ScienceSTOC '98
- 1998

This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols and construct and prove the security of simple and practical Authentication and key-exchange protocols.