Content deleted Content added
m replaced: seperated → separated, typo(s) fixed: Verifiy → Verify |
Tassedethe (talk | contribs) m v2.05 - Repaired 1 link to disambiguation page - (You can help) - Jacques Stern |
||
| (13 intermediate revisions by 12 users not shown) | |||
Line 1:
{{Short description|Scheme often used with RSA encryption}}
{{redirect|OAEP|the division of the Thailand Ministry of Science Technology and Environment previously known as the Office of Atomic Energy for Peace|Office of Atoms for Peace}}
In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)|padding scheme]] often used together with [[RSA (
The OAEP algorithm is a form of [[Feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function|trapdoor one-way permutation]] <math>f</math>, this processing is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security|semantically secure]] under [[chosen plaintext attack]] [[ciphertext indistinguishability|(IND-CPA)]]. When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also
OAEP satisfies the following two goals:
Line 11 ⟶ 12:
The original version of OAEP (Bellare/Rogaway, 1994) showed a form of "[[plaintext-aware encryption|plaintext awareness]]" (which they claimed implies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this claim, showing that OAEP was only [[ciphertext indistinguishability|IND-CCA1]] secure. However, the original scheme was proved in the [[random oracle model]] to be [[ciphertext indistinguishability|IND-CCA2]] secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP.<ref>
Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and [[Jacques Stern (cryptographer)|Jacques Stern]]. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology
An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.<ref>
Victor Shoup. ''OAEP Reconsidered''. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. [http://www.shoup.net/papers/oaep.pdf full version (pdf)]</ref>
More recent work has shown that in the [[Standard
P. Paillier and J. Villar, ''Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption'', Advances in Cryptology
D. Brown, [http://eprint.iacr.org/2006/223 ''What Hashes Make RSA-OAEP Secure?''], IACR ePrint 2006/233.</ref>
Line 26 ⟶ 27:
* ''hLen'' is the length of the output of the hash function in bytes,
* ''k'' is the length of the [[RSA (cryptosystem)|RSA]] modulus ''n'' in bytes,
* ''M'' is the message to be padded, with length ''mLen'' (at most <math>\mathrm{mLen}= k - 2 \cdot \mathrm{hLen} - 2</math> bytes),
* ''L'' is an optional label to be associated with the message (the label is the empty string by default and can be used to authenticate data without requiring encryption),
* ''PS'' is a byte string of <math>k - \mathrm{mLen} - 2 \cdot \mathrm{hLen} - 2</math> null-bytes.
| |||