Abstract
An adaptive chosen ciphertext attack against PKCS #1 v2.0 RSA OAEP encryption is described. It recovers the plaintext - not the private key - from a given ciphertext in a little over log2 n queries of an oracle implementing the algorithm, where n is the RSA modulus. The high likelihood of implementations being susceptible to this attack is explained as well as the practicality of the attack. Improvements to the algorithm to defend against the attack are discussed.
Chapter PDF
Similar content being viewed by others
References
D. Bleichenbacher: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Hugo Krawczyk (ed.), Advances in Cryptology-CRYPTO’ 98, pages 1–12, Berlin, Springer, 1998 (Lecture Notes in Computer Science, vol. 1462).
PKCS #1 v2.0: RSA Cryptography Standard, 1 October 1998. http://www.rsasecurity.com/rsalabs/pkcs/
PKCS #1 v2.1 draft 2: RSA Cryptography Standard, 5 January 2001. http://www.rsasecurity.com/rsalabs/pkcs/
IEEE 1363 draft 13: Standard Specifications for Public Key Cryptography, 12 November 1999. http://grouper.ieee.org/groups/1363/
M. Bellare and P. Rogaway: Optimal Asymmetric Encryption Padding — How to Encrypt with RSA. In Advances in Cryptology — EUROCRYPT’ 94, pages 92–111, Springer-Verlag, 1994.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Manger, J. (2001). A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. In: Kilian, J. (eds) Advances in Cryptology — CRYPTO 2001. CRYPTO 2001. Lecture Notes in Computer Science, vol 2139. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44647-8_14
Download citation
DOI: https://doi.org/10.1007/3-540-44647-8_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42456-7
Online ISBN: 978-3-540-44647-7
eBook Packages: Springer Book Archive