Optimal asymmetric encryption padding: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 05:15, 29 July 2023 edit 184.103.48.52 (talk) →Security Tags: Reverted Mobile edit Mobile web edit ← Previous edit		Latest revision as of 17:46, 12 July 2025 edit undo Tassedethe (talk \| contribs) Autopatrolled, Administrators 1,443,785 edits m v2.05 - Repaired 1 link to disambiguation page - (You can help) - Jacques Stern Tag: WPCleaner
(5 intermediate revisions by 5 users not shown)
Line 12: The original version of OAEP (Bellare/Rogaway, 1994) showed a form of "[[plaintext-aware encryption\|plaintext awareness]]" (which they claimed implies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this claim, showing that OAEP was only [[ciphertext indistinguishability\|IND-CCA1]] secure. However, the original scheme was proved in the [[random oracle model]] to be [[ciphertext indistinguishability\|IND-CCA2]] secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP.<ref> Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and [[Jacques Stern (cryptographer)\|Jacques Stern]]. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology – [[CRYPTO]] 2001, vol. 2139 of Lecture Notes in Computer Science, SpringerVerlag, 2001. [http://eprint.iacr.org/2000/061.pdf full version (pdf)]</ref> An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.<ref> Victor Shoup. ''OAEP Reconsidered''. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. [http://www.shoup.net/papers/oaep.pdf full version (pdf)]</ref> More recent work has shown that in the [[Standard ~~Model~~model (cryptography)\|standard model]] (that is, when hash functions are not modeled as random oracles) it is impossible to prove the IND-CCA2 security of RSA-OAEP under the assumed hardness of the [[RSA problem]].<ref> P. Paillier and J. Villar, ''Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption'', Advances in Cryptology – [[Asiacrypt]] 2006.</ref><ref> D. Brown, [http://eprint.iacr.org/2006/223 ''What Hashes Make RSA-OAEP Secure?''], IACR ePrint 2006/233.</ref> Line 27: * ''hLen'' is the length of the output of the hash function in bytes, * ''k'' is the length of the [[RSA (cryptosystem)\|RSA]] modulus ''n'' in bytes, * ''M'' is the message to be padded, with length ''mLen'' (at most <math>\mathrm{mLen}= k - 2 \cdot \mathrm{hLen} - 2</math> bytes), * ''L'' is an optional label to be associated with the message (the label is the empty string by default and can be used to authenticate data without requiring encryption), * ''PS'' is a byte string of <math>k - \mathrm{mLen} - 2 \cdot \mathrm{hLen} - 2</math> null-bytes. Line 65: ===Security=== The "[[All-or-nothing transform\|all-or-nothing]]" security is from the fact that to recover ''C:M'', one must recover the entire ''DBmaskedDB'' and the entire ''~~Seed~~maskedSeed''; ''DBmaskedDB'' is required to recover the ''seed'' from the ''~~Seed~~maskedSeed'', and the ''seed'' is required to recover the data block ''DB'' from ''DBmaskedDB''. Since any changed bit of a cryptographic hash completely changes the result, the entire ''DBmaskedDB'', and the entire ''~~Seed~~maskedSeed'' must both be completely recovered. ===Implementation===