Paper 2011/559
Instantiability of RSA-OAEP under Chosen-Plaintext Attack
Eike Kiltz, Adam O'Neill, and Adam Smith
Abstract
We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ({\em i.e.}, round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the {\em standard model} based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called ``padding-based'' encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a ``fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently {\em lossy} as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is
Note: This is the full version.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. To appear in Journal of Cryptology
- Keywords
- RSAOAEPpadding-based encryptionlossy trapdoor functionsleftover hash lemmastandard model
- Contact author(s)
- amoneill @ gmail com
- History
- 2016-07-04: last of 2 revisions
- 2011-10-17: received
- See all versions
- Short URL
- https://ia.cr/2011/559
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2011/559, author = {Eike Kiltz and Adam O'Neill and Adam Smith}, title = {Instantiability of {RSA}-{OAEP} under Chosen-Plaintext Attack}, howpublished = {Cryptology {ePrint} Archive, Paper 2011/559}, year = {2011}, url = {https://eprint.iacr.org/2011/559} }