Revision as of 13:53, 14 June 2018 edit Frap (talk \| contribs) Extended confirmed users, File movers, Pending changes reviewers, Rollbackers 35,595 edits →Diagram of OAEP: italic ← Previous edit		Revision as of 16:28, 3 April 2019 edit undo BillHPike (talk \| contribs) Extended confirmed users, IP block exemptions, New page reviewers, Pending changes reviewers, Rollbackers, Temporary account IP viewers 12,837 edits →Diagram of OAEP: Break into subsections; Add notes on implementation; Improve tone; Tweak image syntax Tag: 2017 wikitext editor Next edit →
Line 18: D. Brown, [http://eprint.iacr.org/2006/223 ''What Hashes Make RSA-OAEP Secure?''], IACR ePrint 2006/233.</ref> ==~~Diagram of OAEP~~Algorithm== [[Image:Oaep-diagram-20080305.png\|thumb\|~~250px~~upright=1.2\|right\|OAEP Diagram]] In the diagram, Line 41: # recover the message as ''m''00..0 = ''X'' ⊕ ''G''(''r'') ===Security=== The "[[All-or-nothing transform\|all-or-nothing]]" security is from the fact that to recover ''m'', ~~you~~one must recover the entire ''X'' and the entire ''Y''; ''X'' is required to recover ''r'' from ''Y'', and ''r'' is required to recover ''m'' from ''X''. Since any changed bit of a cryptographic hash completely changes the result, the entire ''X'', and the entire ''Y'' must both be completely recovered. ===Implementation=== In the PKCS#1 standard, the hash functions ''G'' and ''H'' identical. The PKCS#1 standard further requires that the hash functions be based on [[MGF1]].<ref>{{Cite journal\|url=https://eprint.iacr.org/2006/223.pdf\| title=What Hashes Make RSA-OAEP Secure?\|journal = IACR Cryptology ePrint Archive\| last=Brown \|first=Daniel R. L.\| date=2006\| language=en\|access-date=2019-04-03}}</ref> ==See also==

Optimal asymmetric encryption padding: Difference between revisions