OAEP Reconsidered

Research output: Contribution to journalArticle

Abstract

The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out - essentially by accident, rather than by design - that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

Original languageEnglish (US)
Pages (from-to)223-249
Number of pages27
JournalJournal of Cryptology
Volume15
Issue number4
DOIs
StatePublished - Sep 2002

Fingerprint

Cryptography
Random Oracle Model
Justification
Accidents
Permutation
Security Proof
Public Key Encryption
Black Box
Encryption
Convert
Attack
Imply

Keywords

  • Chosen ciphertext security
  • Public-key encryption
  • Random oracle model

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Theoretical Computer Science
  • Computational Theory and Mathematics
  • Applied Mathematics

Cite this

OAEP Reconsidered. / Shoup, Victor.

In: Journal of Cryptology, Vol. 15, No. 4, 09.2002, p. 223-249.

Research output: Contribution to journalArticle

Shoup, Victor. / OAEP Reconsidered. In: Journal of Cryptology. 2002 ; Vol. 15, No. 4. pp. 223-249.
@article{d6a6cefd2db6452284ecd66e7d093978,
title = "OAEP Reconsidered",
abstract = "The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard {"}black box{"} security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out - essentially by accident, rather than by design - that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.",
keywords = "Chosen ciphertext security, Public-key encryption, Random oracle model",
author = "Victor Shoup",
year = "2002",
month = "9",
doi = "10.1007/s00145-002-0133-9",
language = "English (US)",
volume = "15",
pages = "223--249",
journal = "Journal of Cryptology",
issn = "0933-2790",
publisher = "Springer New York",
number = "4",

}

TY - JOUR

T1 - OAEP Reconsidered

AU - Shoup, Victor

PY - 2002/9

Y1 - 2002/9

N2 - The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out - essentially by accident, rather than by design - that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

AB - The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out - essentially by accident, rather than by design - that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

KW - Chosen ciphertext security

KW - Public-key encryption

KW - Random oracle model

UR - http://www.scopus.com/inward/record.url?scp=1642489925&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=1642489925&partnerID=8YFLogxK

U2 - 10.1007/s00145-002-0133-9

DO - 10.1007/s00145-002-0133-9

M3 - Article

VL - 15

SP - 223

EP - 249

JO - Journal of Cryptology

JF - Journal of Cryptology

SN - 0933-2790

IS - 4

ER -