CryptoDB
RSA-OAEP is Secure under the RSA Assumption
| Authors: | |
|---|---|
| Download: | |
| Abstract: | Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the {\it one-wayness} of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the {\it partial-domain} one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA--OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight. |
BibTeX
@misc{eprint-2000-11405,
title={RSA-OAEP is Secure under the RSA Assumption},
booktitle={IACR Eprint archive},
keywords={cryptographic protocols /},
url={http://eprint.iacr.org/2000/061},
note={ David.Pointcheval@ens.fr 11471 received 27 Nov 2000, last revised 29 May 2001},
author={Eiichiro Fujisaki and Tatsuaki Okamoto and David Pointcheval and Jacques Stern},
year=2000
}