Content deleted Content added
No edit summary |
No edit summary |
||
Line 4:
#Add an element of randomness which can be used to convert a [[deterministic encryption]] scheme (e.g., traditional [[RSA]]) into a [[probabilistic encryption|probabilistic]] scheme.
#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the [[trapdoor one-way function|trapdoor one-way permutation]] <math>f</math>.
The original version of OAEP (Bellare/Rogaway, 1994) claimed a form of "[[plaintext-aware encryption|plaintext awareness]]" (that implies security against [[chosen ciphertext attack]]) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this result. However, the original scheme was proved in the [[random oracle model]] to be secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP. An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by [[Victor Shoup]] to solve this problem.
| |||