Optimal asymmetric encryption padding: Difference between revisions

In [[cryptography]], '''Optimal Asymmetric Encryption Padding''' ('''OAEP''') is a [[padding (cryptography)|padding scheme]] often used together with [[RSA|RSA encryption]]. The OAEP algorithm is a form of [[feistel network]] which uses a pair of [[random oracle]]s G and H to process the plaintext prior to [[asymmetric encryption]]. When combined with any secure [[trapdoor one-way function|trapdoor one-way permutation]] <math>f</math>, this processing is proved in the [[random oracle model]] to result in a combined scheme which is [[semantic security|semantically secure]] under [[chosen plaintext attack]] (IND-CPA). When implemented with certain trapdoor functionspermutations (e.g., RSA), OAEP is also proved secure against [[chosen ciphertext attack]]. Some evidence suggests that security of RSA-OAEP cannot be proved in the standard model as(i.e., securewithout asrandom oracles) based on the [[RSA problem]] is hard.

#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring (as far as we can tell) that an adversary cannot recover any portion of the plaintext without completelybeing able to defeatinginvert the [[trapdoor one-way function]] <math>f</math>.

The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "[[plaintext-aware encryption|plaintext awareness]]" (that impliedimplies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this result. However, for various reasons, the original scheme was proved in the [[random oracle model]] to be secure when OAEP is used with the RSA functionpermutation using standard encryption exponents, as in the case of RSA-OAEP. An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.