OAEP reconsidered

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out- essentially by accident, rather than by design-that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings
Pages239-259
Number of pages21
Volume2139 LNCS
StatePublished - 2001
Event21st Annual International Cryptology Conference, CRYPTO 2001 - Santa Barbara, CA, United States
Duration: Aug 19 2001Aug 23 2001

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2139 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other21st Annual International Cryptology Conference, CRYPTO 2001
CountryUnited States
CitySanta Barbara, CA
Period8/19/018/23/01

Fingerprint

Cryptography
Random Oracle Model
Justification
Accidents
Permutation
Security Proof
Public Key Encryption
Black Box
Encryption
Convert
Attack
Imply

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Shoup, V. (2001). OAEP reconsidered. In Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings (Vol. 2139 LNCS, pp. 239-259). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 2139 LNCS).

OAEP reconsidered. / Shoup, Victor.

Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings. Vol. 2139 LNCS 2001. p. 239-259 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 2139 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Shoup, V 2001, OAEP reconsidered. in Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings. vol. 2139 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 2139 LNCS, pp. 239-259, 21st Annual International Cryptology Conference, CRYPTO 2001, Santa Barbara, CA, United States, 8/19/01.
Shoup V. OAEP reconsidered. In Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings. Vol. 2139 LNCS. 2001. p. 239-259. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Shoup, Victor. / OAEP reconsidered. Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings. Vol. 2139 LNCS 2001. pp. 239-259 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{07308d53d2734a3a854c8a12099e7476,
title = "OAEP reconsidered",
abstract = "The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard {"}black box{"} security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out- essentially by accident, rather than by design-that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.",
author = "Victor Shoup",
year = "2001",
language = "English (US)",
isbn = "3540424563",
volume = "2139 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "239--259",
booktitle = "Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - OAEP reconsidered

AU - Shoup, Victor

PY - 2001

Y1 - 2001

N2 - The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out- essentially by accident, rather than by design-that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

AB - The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out- essentially by accident, rather than by design-that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

UR - http://www.scopus.com/inward/record.url?scp=84880904783&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880904783&partnerID=8YFLogxK

M3 - Conference contribution

SN - 3540424563

SN - 9783540424567

VL - 2139 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 239

EP - 259

BT - Advances in Cryptology, CRYPTO 2001 - 21st Annual International Cryptology Conference, Proceedings

ER -