Revision as of 12:17, 19 September 2006 edit 66.230.200.125 (talk) →References ← Previous edit		Revision as of 18:31, 21 September 2006 edit undo DRLB (talk \| contribs) 294 edits Added comments that proofs are in random oracle model Next edit →
Line 1: In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)\|padding scheme]] often used together with [[RSA\|RSA encryption]]. The OAEP algorithm is a form of [[feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function]] <math>f</math>, this processing ~~results~~is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security\|semantically secure]] under [[chosen plaintext attack]] (IND-CPA). When implemented with certain trapdoor functions (e.g., RSA~~-OAEP~~), OAEP is also proved secure against [[chosen ciphertext attack]]. OAEP satisfies the following two goals: Line 6: #Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without completely defeating the [[trapdoor one-way function]] <math>f</math>. The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "[[plaintext-aware encryption\|plaintext awareness]]" that implied security against [[chosen ciphertext attack]]. Subsequent results contradicted this result. However, for various reasons, the original scheme ''was'' ~~found~~proved in the [[random oracle model]] to be secure when OAEP is used with the RSA function using standard encryption exponents, as in the case of RSA-OAEP. An improved scheme called OAEP+ was offered by [[Victor Shoup]] to solve this problem. ==References==

Optimal asymmetric encryption padding: Difference between revisions