Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Extended Notions of Security for Multicast Public Key Cryptosystems
ICALP '00 Proceedings of the 27th International Colloquium on Automata, Languages and Programming
On the Exact Security of Full Domain Hash
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
Journal of Cryptology
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Public-key encryption in a multi-user setting: security proofs and improvements
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
The security of triple encryption and a framework for code-based game-playing proofs
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Performance evaluation of security techniques in web services
Proceedings of the 13th International Conference on Information Integration and Web-based Applications and Services
| Hi-index | 754.84 |
OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. OAEP was shown to be IND-CCA secure assuming the underlying trapdoor permutation is partial one-way, and RSA-OAEP was proven to be IND-CCA under the standard RSA assumption, both in the random oracle model. However, the latter reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We observe that the situation is even worse because both analyses were done in the single-query setting, i.e., where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multiquery setting imply that the guaranteed concrete security can degrade by a factor of q, which is the number of challenge ciphertexts an adversary can get. We propose a very simple modification of the OAEP encryption, which asks that the trapdoor permutation instance is only applied to a part of the OAEP transform. We show that IND-CCA security of this scheme is tightly related to the hardness of one-wayness of the trapdoor permutation in the random oracle model. This implies tight security for RSA-OAEP under the RSA assumption. We also show that security does not degrade as the number of cipher-texts an adversary can see increases. Moreover, OAEP can be used to encrypt long messages without using hybrid encryption. We believe that this modification is easy to implement, and the benefits it provides deserves the attention of standard bodies.