Public-key cryptosystems provably secure against chosen ciphertext attacks
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
STOC '91 Proceedings of the twenty-third annual ACM symposium on Theory of computing
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
SIAM Journal on Computing
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Relations Among Notions of Security for Public-Key Encryption Schemes
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Finding a small root of a univariate modular equation
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Observability Analysis - Detecting When Improved Cryptosystems Fail
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
Practical Security in Public-Key Cryptography
ICISC '01 Proceedings of the 4th International Conference Seoul on Information Security and Cryptology
Design and Analysis of Fast Provably Secure Public-Key Cryptosystems Based on a Modular Squaring
ICISC '01 Proceedings of the 4th International Conference Seoul on Information Security and Cryptology
An IND-CCA2 Public-Key Cryptosystem with Fast Decryption
ICISC '01 Proceedings of the 4th International Conference Seoul on Information Security and Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
On the Security of RSA Encryption in TLS
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Flaws in Applying Proof Methodologies to Signature Schemes
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Short Signatures in the Random Oracle Model
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
The Exact Security of ECIES in the Generic Group Model
Proceedings of the 8th IMA International Conference on Cryptography and Coding
New European Schemes for Signature, Integrity and Encryption (NESSIE): A Status Report
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Optimal Chosen-Ciphertext Secure Encryption of Arbitrary-Length Messages
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Further Results and Considerations on Side Channel Attacks on RSA
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Relationship between Two Approaches for Defining the Standard Model PA-ness
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Cramer-Shoup Satisfies a Stronger Plaintext Awareness under a Weaker Assumption
SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
DISH: Distributed Self-Healing
SSS '08 Proceedings of the 10th International Symposium on Stabilization, Safety, and Security of Distributed Systems
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Strengthening Security of RSA-OAEP
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
Multi-use and unidirectional identity-based proxy re-encryption schemes
Information Sciences: an International Journal
Code-based public-key cryptosystems and their applications
ICITS'09 Proceedings of the 4th international conference on Information theoretic security
Algorithms and theory of computation handbook
Cryptography for network security: failures, successes and challenges
MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
How to strengthen the security of RSA-OAEP
IEEE Transactions on Information Theory
Constructing better KEMs with partial message recovery
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
Beyond provable security verifiable IND-CCA security of OAEP
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Expedient non-malleability notions for hash functions
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Efficient identity-based signcryption in the standard model
ProvSec'11 Proceedings of the 5th international conference on Provable security
Security of practical cryptosystems using Merkle-Damgård hash function in the ideal cipher model
ProvSec'11 Proceedings of the 5th international conference on Provable security
Relationship between standard model plaintext awareness and message hiding
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Blockwise adversarial model for on-line ciphers and symmetric encryption schemes
SAC'04 Proceedings of the 11th international conference on Selected Areas in Cryptography
Another look at “provable security”. II
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Reconsideration on the security of the boneh-franklin identity-based encryption scheme
INDOCRYPT'05 Proceedings of the 6th international conference on Cryptology in India
How to construct multicast cryptosystems provably secure against adaptive chosen ciphertext attack
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
Efficiency limitations for Σ-protocols for group homomorphisms
TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
A traitor tracing scheme based on RSA for fast decryption
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
N-Party encrypted diffie-hellman key exchange using different passwords
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
A generic conversion with optimal redundancy
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Time-selective convertible undeniable signatures
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Analysis of random oracle instantiation scenarios for OAEP and other practical schemes
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of kurosawa-desmedt KEM
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
A tool kit for finding small roots of bivariate polynomials over the integers
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Further improvement of an identity-based signcryption scheme in the standard model
Computers and Electrical Engineering
A public key cryptosystem based on three new provable problems
Theoretical Computer Science
Certificateless KEM and hybrid signcryption schemes revisited
ISPEC'10 Proceedings of the 6th international conference on Information Security Practice and Experience
About the security of MTI/C0 and MQV
SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
The Twist-AUgmented technique for key exchange
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Tag-KEM from set partial domain one-way permutations
ACISP'06 Proceedings of the 11th Australasian conference on Information Security and Privacy
Public key encryption without random oracle made truly practical
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
A general construction for simultaneous signing and encrypting
IMA'05 Proceedings of the 10th international conference on Cryptography and Coding
A key encapsulation mechanism for NTRU
IMA'05 Proceedings of the 10th international conference on Cryptography and Coding
Constant-Round password-based group key generation for multi-layer ad-hoc networks
SPC'06 Proceedings of the Third international conference on Security in Pervasive Computing
Public key encryption without random oracle made truly practical
Computers and Electrical Engineering
Toward real-life implementation of signature schemes from the strong RSA assumption
FC'11 Proceedings of the 2011 international conference on Financial Cryptography and Data Security
A low-cost alternative for OAEP
Proceedings of the International Workshop on Security and Dependability for Resource Constrained Embedded Systemss
Efficient signcryption in the standard model
Concurrency and Computation: Practice & Experience
Galindo-Garcia identity-based signature revisited
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
On the conventional public key in identification-based encryption: the case of RSA
International Journal of Information and Computer Security
OASIS: on achieving a sanctuary for integrity and secrecy on untrusted platforms
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.06 |
The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.