Wikipedia

Optimal asymmetric encryption padding: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
DRLB (talk | contribs)
294 edits
Added comments that proofs are in random oracle model
Drdrlb (talk | contribs)
3 edits
Commented about security proofs in the standard model
Line 1:
In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)|padding scheme]] often used together with [[RSA|RSA encryption]]. The OAEP algorithm is a form of [[feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function]] <math>f</math>, this processing is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security|semantically secure]] under [[chosen plaintext attack]] (IND-CPA). When implemented with certain trapdoor functions (e.g., RSA), OAEP is also proved secure against [[chosen ciphertext attack]]. Some evidence suggests that RSA-OAEP cannot be proved in the standard model as secure as the [[RSA problem]] is hard.
 
OAEP satisfies the following two goals:
 
#Add an element of randomness which can be used to convert a [[deterministic encryption]] scheme (e.g., traditional [[RSA]]) into a [[probabilistic encryption|probabilistic]] scheme.
#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring (as far as we can tell) that an adversary cannot recover any portion of the plaintext without completely defeating the [[trapdoor one-way function]] <math>f</math>.
 
The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "[[plaintext-aware encryption|plaintext awareness]]" that implied security against [[chosen ciphertext attack]]. Subsequent results contradicted this result. However, for various reasons, the original scheme was proved in the [[random oracle model]] to be secure when OAEP is used with the RSA function using standard encryption exponents, as in the case of RSA-OAEP. An improved scheme called OAEP+ was offered by [[Victor Shoup]] to solve this problem.
Line 10:
==References==
*M. Bellare, P. Rogaway. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. [http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)]
 
*D. Brown, [ http://eprint.iacr.org/2006/223 ''Unprovable Security of RSA-OAEP in the Standard Model''], IACR ePrint 2006/233.
 
*Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology -- CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, SpringerVerlag, 2001. [http://eprint.iacr.org/2000/061.pdf full version (pdf)]
 
*P. Paillier and J. Villar, ''Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption'', Advances in Cryptology -- Asiacrypt 2006.
 
*Victor Shoup. ''OAEP Reconsidered''. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. [http://www.shoup.net/papers/oaep.pdf full version (pdf)]
Retrieved from "https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding"