Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Extended Notions of Security for Multicast Public Key Cryptosystems
ICALP '00 Proceedings of the 27th International Colloquium on Automata, Languages and Programming
On the Exact Security of Full Domain Hash
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
Journal of Cryptology
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Public-key encryption in a multi-user setting: security proofs and improvements
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
The security of triple encryption and a framework for code-based game-playing proofs
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Constructing better KEMs with partial message recovery
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
Beyond provable security verifiable IND-CCA security of OAEP
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Hi-index | 0.00 |
OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. RSA-OAEP was shown to be IND-CCA secure in the random oracle model under the standard RSA assumption. However, the reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We first observe that the situation is even worse because the analysis was done in the single-query setting, i.e. where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multi-query setting imply that the guaranteed concrete security can degrade by a factor of q , which is the number of challenge ciphertexts an adversary can get. We re-visit a very simple but not well-known modification of the RSA-OAEP encryption which asks that the RSA function is only applied to a part of the OAEP transform. We show that in addition to the previously shown fact that security of this scheme is tightly related to the hardness of the RSA problem, security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, this scheme can be used to encrypt long messages without using hybrid encryption. We believe that this modification to the RSA-OAEP is easy to implement, and the benefits it provides deserves the attention of standard bodies.