[Resource Topic] 2000/061: RSA-OAEP is Secure under the RSA Assumption

Welcome to the resource topic for 2000/061

RSA-OAEP is Secure under the RSA Assumption

Authors: Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, Jacques Stern


Recently Victor Shoup noted that there is a gap in
the widely-believed security result of OAEP against adaptive
chosen-ciphertext attacks. Moreover, he showed that,
OAEP cannot be proven secure from the {\it one-wayness}
of the underlying trapdoor permutation.
This paper establishes another result on the security
of OAEP. It proves that OAEP offers semantic security
against adaptive chosen-ciphertext attacks,
in the random oracle model, under the {\it partial-domain}
one-wayness of the underlying permutation.
Therefore, this uses a formally stronger assumption.
Nevertheless, since partial-domain one-wayness of the RSA function
is equivalent to its (full-domain) one-wayness, it follows that
the security of RSA–OAEP can actually
be proven under the sole RSA assumption, although
the reduction is not tight.

ePrint: https://eprint.iacr.org/2000/061

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .