Wikipedia

Optimal asymmetric encryption padding: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Dachshund (talk | contribs)
1,282 edits
partial description
Dachshund (talk | contribs)
1,282 edits
fleshed out
Line 1:
In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding scheme]] often used together with [[RSA encryption]]. The OAEP algorithm is a form of [[feistel network]] which uses a pair of [[random oracle]]s G and H to process a ciphertext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function]] <math>f</math>, this processing results in a combined scheme which is provably[[semantic security|semantically secure]] againstunder [[chosen ciphertextplaintext attack]] (IND-CPA). ToWhen accomplishimplemented thiswith resultcertain trapdoor functions (e.g., RSA-OAEP), OAEP is also secure against [[chosen ciphertext attack]].

OAEP satisfies the following threetwo goals:
 
#Add an element of randomness which can be used to convert a [[deterministic encryption]] scheme (e.g., traditional [[RSA]]) into a [[probabilistic encryption|probabilistic]] scheme.
#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without completely defeating the [[trapdoor one-way function]] <math>f</math>.
#Provide a cryptographic integrity check which guarantees "plaintext awareness", i.e., that no adversary can create a ciphertext without knowing the plaintext. This serves to prevent chosen ciphertext attacks.
 
The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "plaintext awareness" that implied security against [[chosen ciphertext attack]]. Subsequent results contradicted this result. However, for various reasons, the original scheme ''was'' found to be secure when OAEP is used with the RSA function using standard encryption exponents, as in the case of RSA-OAEP. An improved scheme called OAEP+ was offered by Shoup to solve this problem.
See [http://www.zvon.org/tmRFC/RFC2437/Output/chapter9.html RFC2437] for an outline of how OAEP padding and un-padding works in conjunction with RSA.
 
==References==
*M. Bellare, P. Rogaway. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. Full paper of revised version available below.
 
[[Category:Cryptography]]
Retrieved from "https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding"