OAEP Reconsidered

14 years 4 months ago

Download www.shoup.net

The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt ’94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justiﬁcation for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justiﬁcation is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be ﬁlled, in the sense that there can be no standard “black box” security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as eﬃcient as OAEP, and even has a ti...

Victor Shoup

Real-time Traffic

CRYPTO 2001 | Cryptology | Encryption Scheme | Random Oracle Model | Trapdoor Permutation Scheme |

claim paper

Post Info
More Details (n/a)

Added	28 Jul 2010
Updated	28 Jul 2010
Type	Conference
Year	2001
Where	CRYPTO
Authors	Victor Shoup

Comments (0)

Sciweavers

OAEP Reconsidered

CRYPTO 2001 | Cryptology | Encryption Scheme | Random Oracle Model | Trapdoor Permutation Scheme |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers