OAEP Reconsidered

@article{Shoup2002OAEPR,
  title={OAEP Reconsidered
},
  author={Victor Shoup},
  journal={Journal of Cryptology},
  year={2002},
  volume={15},
  pages={223-249}
}
  • V. Shoup
  • Published 1 September 2002
  • Computer Science
  • Journal of Cryptology
Abstract. The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First… 
OAEP Reconsidered
TLDR
It turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.
Instantiability of RSA-OAEP under Chosen-Plaintext Attack
TLDR
It is shown that the widely deployed RSA-OAEP encryption scheme, which combines RSA with two rounds of an underlying Feistel network whose hash functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, andnon-interdependent assumptions on RSA and the hash functions.
Toward RSA-OAEP Without Random Oracles
TLDR
New partial and full instantiation results under chosen-ciphertext security for the widely implemented and standardized RSA-OAEP encryption scheme of Bellare and Rogaway and two variants are shown.
What Hashes Make RSA-OAEP Secure?
TLDR
A pathological hash function choice that makes RSA-OAEP insecure is demonstrated and certain types of reductions that could be used to prove the OW-CPA (i.e., the bare minimum) security of RSA-oaEP are considered.
Provably Secure Identity-Based Identification Schemes and Transitive Signatures
TLDR
A general framework of security-preserving transformations between related primitives is presented and used as a tool to prove the security of schemes from 13 different “families” that were proposed in the literature over the last two decades, but that lacked a security proof prior to this work.
On the Selective Opening Security of Practical Public-Key Encryption Schemes
TLDR
It is shown that two well-known and widely employed public-key encryption schemes – RSA Optimal Asymmetric Encryption Padding and Diffie-Hellman Integrated Encryption Standard – are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model.
Signcryption schemes with insider security in an ideal permutation model
TLDR
This work designs a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure, and proves the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature.
Enhanced Certificate-Based Encryption from pairings
  • Zuhua Shao
  • Mathematics, Computer Science
    Comput. Electr. Eng.
  • 2011
TLDR
This paper shows that the proposed enhanced Certificate-Based Encryption scheme from pairings in the chosen-key model is semantically secure against adaptive chosen ciphertext attacks in the random oracle model under the Bilinear Diffie-Hellman (BDH) assumption.
A Novel Proof of Shuffle: Exponentially Secure Cut-and-Choose
TLDR
This work proposes a generic compiler which can transform any “shuffle-compatible” Σ-protocol (including, among others, Σ -protocols for re-randomization, decryption, or key shifting) into a Σ'-protocol for permutations of the underlying relation.
Computationally sound automated proofs of cryptographic schemes
TLDR
It is shown that under some conditions, security in that non-cryptographic model implies security in a common cryptographic one, the Bellare-Rogaway model, which enables one to use that existing tool, which was designed to work with a different type of model, to achieve security proofs of public-key-based key exchange protocols in a cryptographic model.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 18 REFERENCES
RSA-OAEP Is Secure under the RSA Assumption
TLDR
It is proved that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.
Simplified OAEP for the RSA and Rabin Functions
  • D. Boneh
  • Mathematics, Computer Science
    CRYPTO
  • 2001
TLDR
It is shown that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model and that only one round of a Feistel network is sufficient.
Relations among Notions of Security for Public-Key Encryption Schemes
TLDR
The goals of privacy and non-malleability are considered, each under chosen plaintext attack and two kinds of chosen ciphertext attack, and a new definition of non-Malleability is proposed which the author believes is simpler than the previous one.
The random oracle methodology, revisited (preliminary version)
TLDR
There exist signature and encryption schemes which are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.
The random oracle methodology, revisited
TLDR
There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.
Random oracles are practical: a paradigm for designing efficient protocols
TLDR
It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
TLDR
A formalization of chosen ciphertext attack is given in the model which is stronger than the "lunchtime attack" considered by Naor and Yung, and it is proved a non-interactive public-key cryptosystem based on non-Interactive zero-knowledge proof of knowledge to be secure against it.
A method for obtaining digital signatures and public-key cryptosystems
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important
Optimal Asymmetric Encryption
TLDR
A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.
A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)
TLDR
This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols and construct and prove the security of simple and practical Authentication and key-exchange protocols.
...
1
2
...