Revision as of 19:58, 2 July 2012 edit Xqbot (talk \| contribs) Bots, Template editors 2,374,454 edits m r2.7.3) (Robot: Modifying pl:Optimal Asymmetric Encryption Padding ← Previous edit		Revision as of 19:17, 17 July 2012 edit undo Davesnotthere (talk \| contribs) 11 edits m Technical abbreviations IND-CPA,CCA1,CCA2 introduced without explanation. Provided links. Next edit →
Line 3: In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)\|padding scheme]] often used together with [[RSA (algorithm)\|RSA encryption]]. OAEP was introduced by [[Mihir Bellare\|Bellare]] and [[Phillip Rogaway\|Rogaway]].<ref>[[Mihir Bellare\|M. Bellare]], [[Phillip Rogaway\|P. Rogaway]]. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''. Extended abstract in Advances in Cryptology - [[Eurocrypt]] '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, [[Springer-Verlag]], 1995. [http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)]</ref> The OAEP algorithm is a form of [[Feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function\|trapdoor one-way permutation]] <math>f</math>, this processing is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security\|semantically secure]] under [[chosen plaintext attack]] [[ciphertext indistinguishability\|(IND-CPA)]]. When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also proved secure against [[chosen ciphertext attack]]. OAEP can be used to build an [[All or nothing transform\|all-or-nothing transform]]. OAEP satisfies the following two goals: Line 10: #Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the [[trapdoor one-way function\|trapdoor one-way permutation]] <math>f</math>. The original version of OAEP (Bellare/Rogaway, 1994) showed a form of "[[plaintext-aware encryption\|plaintext awareness]]" (which they claimed implies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this claim, showing that OAEP was only [[ciphertext indistinguishability\|IND-CCA1]] secure. However, the original scheme was proved in the [[random oracle model]] to be [[ciphertext indistinguishability\|IND-CCA2]] secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP.<ref> Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and [[Jacques Stern]]. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology -- [[CRYPTO]] 2001, vol. 2139 of Lecture Notes in Computer Science, SpringerVerlag, 2001. [http://eprint.iacr.org/2000/061.pdf full version (pdf)]</ref> An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.<ref>

Optimal asymmetric encryption padding: Difference between revisions