Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Instantiability of RSA-OAEP Under Chosen-Plaintext Attack

  • 421 Accesses

  • 3 Citations


We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ( i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “padding-based” encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a “fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is t-wise independent for t roughly proportional to the allowed message length. We clarify that this result requires the hash function to be keyed, and for its key to be included in the public key of RSA-OAEP. We also show that RSA satisfies condition (2) under the \(\Phi \)-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This is the first positive result about the instantiability of RSA-OAEP. In particular, it increases confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2


  1. 1.

    We often use the same terminology for ‘f-OAEP,’ which refers to OAEP using an abstract TDP f, with the meaning hopefully clear from context.

  2. 2.

    Such schemes were called “simple embedding schemes” by Bellare and Rogaway [5], who discussed them only on an intuitive level.

  3. 3.

    In the formal definition, we actually consider an “external” distinguisher who gets the extractor seed; see Sect. 3 for details.

  4. 4.

    In particular, this result requires that G is a keyed hash function whose key is included in the public key for OAEP. On the other hand, cryptographic hash functions are typically unkeyed. But see “Using unkeyed hash functions” below.

  5. 5.

    We remark that the recent attacks on \(\Phi \)A [56] are for moduli of a special form that does not include RSA.

  6. 6.

    Note, however, that their result does not rule out such a proof based on other properties of the TDP, non-black-box assumptions on the hash functions, or in the case of a specific TDP like RSA.

  7. 7.

    In particular, their security notion does not imply IND-CPA since they consider random messages. We also point out that it remains an open question whether NM-PRGs can be constructed.

  8. 8.

    We note that [49] actually defines lossy trapdoor functions, but the extension to permutations is straightforward.

  9. 9.

    This is done by choosing a uniform \((1/2-c)k\)-bit number x until \(p = x e + 1\) is a prime.

  10. 10.

    Additionally, in practice the encryption exponent e is usually fixed. This can be addressed by parameterizing E\(\Phi \)A by a fixed e instead of choosing it at random. Note that for \(e = 3\) one should make both \(e~|~p-1\) and \(e~|~q-1\) in the lossy case (otherwise the assumption is false [16]).


  1. 1.

    M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in D. Naccache, editor, CT-RSA 2001. LNCS, vol. 2020 (Springer, Heidelberg, April 2001), pp. 143–158

  2. 2.

    B. Barak, R. Shaltiel, E. Tromer, True random number generators secure in a changing environment, in C.D. Walter, Ç.K. Koç, C. Paar, editors, CHES 2003. LNCS, vol. 2779 (Springer, Heidelberg, September 2003), pp. 166–180

  3. 3.

    M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in A. Menezes, editor, CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, August 2007), pp. 535–552

  4. 4.

    M. Bellare, V.T. Hoang, S. Keelveedhi, Instantiating random oracles via UCEs, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part II. LNCS, vol. 8043 (Springer, Heidelberg, August 2013), pp. 398–415

  5. 5.

    M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in P.J. Lee, editor, ASIACRYPT 2004. LNCS, vol. 3329 (Springer, Heidelberg, December 2004), pp. 48–62

  6. 6.

    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. in V. Ashby, editor, ACM CCS 93. (ACM Press, November 1993), pp. 62–73

  7. 7.

    M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A. De Santis, editor, EUROCRYPT’94. LNCS, vol. 950 (Springer, Heidelberg, May 1995), pp. 92–111

  8. 8.

    M. Bellare, J. Rompel, Randomness-efficient oblivious sampling, in 35th FOCS. (IEEE Computer Society Press, November 1994), pp. 276–287

  9. 9.

    M. Blum, P. Feldman, S. Micali, Proving security against chosen cyphertext attacks, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 256–268

  10. 10.

    A. Boldyreva, D. Cash, M. Fischlin, B. Warinschi, Foundations of non-malleable hash and one-way functions, in M. Matsui, editor, ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, December 2009), pp. 524–541

  11. 11.

    A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 335–359

  12. 12.

    A. Boldyreva, M. Fischlin, Analysis of random oracle instantiation scenarios for OAEP and other practical schemes, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 412–429

  13. 13.

    A. Boldyreva, M. Fischlin, On the security of OAEP, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 210–225

  14. 14.

    D. Boneh, Simplified OAEP for the RSA and Rabin functions, in J. Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, Heidelberg, August 2001), pp. 275–291

  15. 15.

    D.R.L. Brown, What hashes make RSA-OAEP secure? Cryptology ePrint Archive. Report 2006/223. http://eprint.iacr.org/ (2006)

  16. 16.

    C. Cachin, Efficient private bidding and auctions with an oblivious third party, in ACM CCS 99. (ACM Press, November 1999), pp. 120–127

  17. 17.

    C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in J. Stern, editor, EUROCRYPT’99. LNCS, vol. 1592 (Springer, Heidelberg, May 1999), pp. 402–414

  18. 18.

    R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in B.S. Kaliski Jr., editor, CRYPTO’97. LNCS, vol. 1294 (Springer, Heidelberg, August 1997), pp. 455–469

  19. 19.

    R. Canetti, R.R. Dakdouk, Extractable perfectly one-way functions, in L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors, ICALP 2008, Part II. LNCS, vol. 5126 (Springer, Heidelberg, July 2008), pp. 449–460

  20. 20.

    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM, 51(4), 557–594 (2004)

  21. 21.

    R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (preliminary version), in 30th ACM STOC. (ACM Press, May 1998), pp. 131–140

  22. 22.

    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol., 10(4), 233–260 (1997)

  23. 23.

    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, New attacks on PKCS#1 v1.5 encryption, in B. Preneel, editor, EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Heidelberg, May 2000), pp. 369–381

  24. 24.

    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, Universal padding schemes for RSA, in M. Yung, editor, CRYPTO 2002. LNCS, vol. 2442 (Springer, Heidelberg, August 2002), pp. 226–241

  25. 25.

    Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 449–466

  26. 26.

    Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in B. Pfitzmann, editor, EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Heidelberg, May 2001), pp. 301–324

  27. 27.

    Y. Dodis, A. Smith, Correcting errors without leaking partial information, in H.N. Gabow, R. Fagin, editors, 37th ACM STOC. (ACM Press, May 2005), pp. 654–663

  28. 28.

    D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions. J. Cryptol., 26(1), 39–74 (2013)

  29. 29.

    E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP is secure under the RSA assumption. J. Cryptol., 17(2), 81–104 (2004)

  30. 30.

    C. Gentry, P.D. Mackenzie, Z. Ramzan, Password authenticated key exchange using hidden smooth subgroups, in V. Atluri, C. Meadows, A. Juels, editors, ACM CCS 05. (ACM Press, November 2005), pp. 299–309

  31. 31.

    O. Goldreich, Foundations of Cryptography: Basic Applications, vol. 2 (Cambridge University Press, Cambridge, UK, 2004)

  32. 32.

    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci., 28(2), 270–299 (1984)

  33. 33.

    B. Harris, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432

  34. 34.

    B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 126–143

  35. 35.

    B. Hemenway, R. Ostrovsky, A. Rosen, Non-committing encryption from \(\phi \)-hiding, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 of (Springer, Heidelberg, March 2015), pp. 591–608

  36. 36.

    M. Herrmann, Improved cryptanalysis of the multi-prime \(\phi \)-hiding assumption. in A. Nitaj, D. Pointcheval, editors, AFRICACRYPT 11. LNCS, vol. 6737 (Springer, Heidelberg, July 2011), pp. 92–99

  37. 37.

    D. Hofheinz, E. Kiltz, The group of signed quadratic residues and applications, in S. Halevi, editor, CRYPTO 2009. LNCS, vol. 5677 (Springer, Heidelberg, August 2009), pp. 637–653

  38. 38.

    E. Kiltz, K. Pietrzak, Personal communication (2009)

  39. 39.

    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in T. Rabin, editor, CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, August 2010), pp. 295–313

  40. 40.

    E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes- or -why we cannot prove OAEP secure in the standard model, in A. Joux, editor, EUROCRYPT 2009. LNCS, vol. 5479 (Springer, Heidelberg, April 2009), pp. 389–406

  41. 41.

    K. Kobara, H. Imai, OAEP++ : a very simple way to apply oaep to deterministic ow-cpa primitives. Cryptology ePrint Archive, Report 2002/130. http://eprint.iacr.org/ (2002)

  42. 42.

    A.K. Lenstra, Unbelievable security. Matching AES security using public key systems (invited talk), in C. Boyd, editor, ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Heidelberg, December 2001), pp. 67–86

  43. 43.

    M. Lewko, A. O’Neill, A. Smith, Regularity of lossy RSA on subdomains and its applications, in T. Johansson, P.Q. Nguyen, editors, EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Heidelberg, May 2013), pp. 55–75

  44. 44.

    A. May, Using lll-reduction for solving rsa and factorization problems: a survey, in LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)

  45. 45.

    S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosystems, in A.M. Odlyzko, editor, CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, August 1987), pp. 381–392

  46. 46.

    P. Mol, S. Yilek, Chosen-ciphertext security from slightly lossy trapdoor functions, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010. LNCS, vol. 6056 (Springer, Heidelberg, May 2010), pp. 296–311

  47. 47.

    N. Nisan, D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci., 52(1), 43–52 (1996)

  48. 48.

    P. Paillier, J.L. Villar, Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 252–266

  49. 49.

    O. Pandey, R. Pass, V. Vaikuntanathan, Adaptive one-way functions and applications, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 57–74

  50. 50.

    C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput., 40(6), 1803–1844 (2011)

  51. 51.

    Rsa public-key cryptography standards (pkcs). http://www.rsa.com/rsalabs/node.asp?id=2124

  52. 52.

    M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical report (1979)

  53. 53.

    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in J. Feigenbaum, editor, CRYPTO’91. LNCS. vol. 576 (Springer, Heidelberg, August 1992), pp. 433–444

  54. 54.

    R.L. Rivest, A. Shamir, L. Adelman, U.S. patent 4405829: cryptographic communications system and method

  55. 55.

    R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining public-key cryptosystems and digital signatures. Technical Memo MIT/LCS/TM-82, Massachusetts Institute of Technology, Laboratory for Computer Science (1977)

  56. 56.

    C. Schridde, B. Freisleben, On the validity of the phi-hiding assumption in cryptographic protocols, in J. Pieprzyk, editor, ASIACRYPT 2008. LNCS, vol. 5350 (Springer, Heidelberg, December 2008), pp. 344–354

  57. 57.

    Y. Seurin, On the lossiness of the Rabin trapdoor function, in H. Krawczyk, editor, PKC 2014. LNCS, vol. 8383 (Springer, Heidelberg, March 2014), pp. 380–398

  58. 58.

    V. Shoup, OAEP reconsidered. J. Cryptol., 15(4), 223–249 (2002)

  59. 59.

    A. Smith, Y. Zhang, On the regularity of lossy RSA—improved bounds and applications to padding-based encryption, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 (Springer, Heidelberg, March 2015), pp. 609–628

  60. 60.

    K. Tosu, N. Kunihiro, Optimal bounds for multi-prime phi-hiding assumption, in Information Security and Privacy—17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, July 9–11, 2012. Proceedings (2012), pp. 1–14

  61. 61.

    L. Trevisan, S.P. Vadhan, Extracting randomness from samplable distributions, in 41st FOCS (IEEE Computer Society Press, November 2000), pp. 32–42

  62. 62.

    M.N. Wegman, L. Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)

  63. 63.

    S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability, in Internet Measurement Conference

  64. 64.

    P. Zimmerman, Integer factoring records. http://www.loria.fr/~zimmerma/records/factor.html

Download references


We thank Mihir Bellare, Alexandra Boldyreva, Dan Brown, Yevgeniy Dodis, Mathias Herrmann, Jason Hinek, Arjen Lenstra, Alex May, Phil Rogaway, and the anonymous reviewers of Crypto 2010 and the Journal of Cryptology for helpful comments. In particular, we thank Dan for reminding us of [16, Remark2,p. 6], Alex and Mathias for pointing out the improved attacks in Sect. 5.3, Phil for encouraging us to consider the case of small e more closely and for telling us that KI security as defined in Appendix 8 was previously considered by [44], and Yevgeniy for suggesting the statement of Lemma 4.5 (our original lemma was specific to OAEP).

      Part of this work was done, while E.K. was at CWI, Amsterdam. E.K. is funded by ERC Project ERCC (FP7/615074) and the German Federal Ministry for Education and Research. Part of this work was done while A.O. was at Georgia Institute of Technology, supported in part by NSF award #0545659 and NSF Cyber Trust award #0831184. A.S. was supported in part by NSF awards #0747294, 0729171.

      Eike Kiltz was partially supported by DFG grant KI 795/4-1 and ERC Project ERCC (FP7/615074). Adam Smith was funded by US National Science Foundation award CCF-0747294.

Author information

Correspondence to Eike Kiltz.

Additional information

A preliminary version of this paper appears in Advances in Cryptology—CRYPTO 2010, 30th Annual International Cryptology Conference, T. Rabin ed., LNCS, Springer, 2010. This is the full version.

Communicated by Kenneth Paterson.


Appendix 1: Proof of Lemma 4.5

We introduce the following notation for the proof. For a random variable V with range \({\mathcal {V}}\), we define the collision probability of V as \(\mathrm {Col}(V) = \Pr \left[ \, V = V' \,\right] = \sum _{v \in {\mathcal {V}}} P_V(v)^2\) where \(V'\) is an independent copy of V, and for an event \({\mathcal {E}}\) we define the conditional collision probability \(\mathrm {Col}_{{\mathcal {E}}}(V) = {\Pr }\left[ \, V = V'\,\left| \right. \,{\mathcal {E}}\,\right] \). For random variables VW, we define the square of the 2-distance as \(D(V,W) = \sum _v \big (P_V(v) - P_W(v)\big )^2\).

Writing \({\mathbf{E}}_k\) for expectation over the choice of random k from \({\mathcal {K}}\), we have

$$\begin{aligned}&\Delta \bigl ((K,g(X,h(K,X))), (K,g(X,U))\bigr ) \,=\,{\mathbf{E}}_k\bigl [ \Delta \bigl (g(X,h(k,X)), g(X,U)\bigr ) \bigr ] \end{aligned}$$
$$\begin{aligned}&\,\le \,\frac{1}{2} {\mathbf{E}}_k\biggl [ \sqrt{|S| \, D\bigl (g(X,h(k,X)), g(X,U)\bigr )} \biggr ] \nonumber \\&\quad \,\le \,\frac{1}{2} \sqrt{|S| \, {\mathbf{E}}_k \bigl [ D\bigl (g(X,h(k,X)), g(X,U)\bigr ) \bigl ]} \end{aligned}$$

where the first inequality is by Cauchy-Swartz and the second is by Jensen’s inequality. We now show

$$\begin{aligned}{\mathbf{E}}_k\bigl [ D\bigl (g(X,h(k,X)), g(X,U)\bigr ) \bigl ] \,\le \,\mathrm {Col}(X) \, \end{aligned}$$

from which the theorem follows. Write \((X,Y_k) = (X,h(k,X))\) for an arbitrary but fixed k. Then

$$\begin{aligned} D\bigl (g(X,Y_k), g(X,U)\bigr )&\,=\,\sum _s \big ( P_{g(X,Y_k)}(s) - P_{g(X,U)}(s) \big )^2 \\&\,=\,\sum _s P_{g(X,Y_k)}(s)^2 - 2\sum _s P_{g(X,Y_k)}(s)P_{g(X,U)}(s) \\&\quad + \sum _s P_{g(X,U)}(s)^2 \, . \end{aligned}$$

Using the Kronecker delta \(\delta _{s,s'}\) which equals 1 if \(s =s'\) and else 0 for all \(s,s' \in S\), we can write \(P_{g(X,Y_k)}(s) = \sum _x P_X(x) \delta _{g(x,h(k,x)),s}\), and thus

$$\begin{aligned} \sum _s P_{g(X,Y_k)}(s)^2&\,=\,\sum _s \bigg (\sum _{x} P_X(x) \delta _{g(x,h(k,x)),s} \bigg ) \bigg ( \sum _{x'} P_X(x') \delta _{g(x',h(k,x')),s} \bigg ) \\&\,=\,\sum _{x,x'} P_X(x) P_X(x') \delta _{g(h(k,x)),g(h(k,x'))}. \end{aligned}$$

We use the pairwise independence of h to rewrite this in terms of collision probabilities:

$$\begin{aligned} {\mathbf{E}}_k\Bigl [\sum _s P_{g(X,Y_k)}(s)^2\bigr ]&\,=\,&\sum _{x,x'} P_X(x) P_X(x') {\mathbf{E}}_k[\delta _{g(x,h(k,x)),g(x',h(k,x'))}] \nonumber \\&\,=\,&\mathrm {Col}(X)~+~ \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1-\mathrm {Col}(X))\,, \end{aligned}$$

where the subscript \({\mathcal {E}}\) denotes (conditioning on) the event that \(X \ne X'\). That is,

$$\begin{aligned} \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) \,=\,{\Pr }\left[ \, g(X,U) = g(X',U')\,\left| \right. \,X \ne X'\,\right] . \end{aligned}$$


$$\begin{aligned} \sum _s P_{g(X,Y_k)}(s) P_{g(X,U)}(s)&\,=\,\sum _s \bigg (\sum _{x} P_X(x) \delta _{g(x,h(k,x)),s} \bigg ) \\&\quad \bigg (\sum _{x',u} P_X(x') P_U(u) \delta _{g(x',u),s} \bigg ) \\&\quad \,=\,\sum _{x} \sum _{x'} \sum _u P_X(x) P_X(x') P_U(u) \delta _{g(x,h(k,x)),g(x',u)} \end{aligned}$$

so that

$$\begin{aligned} {\mathbf{E}}_k\Bigl [\sum _s P_{g(X,Y_k)}(s) P_{g(X,U)}(s)\bigr ]&\,=\,\sum _{x} \sum _{x'} \sum _u P_X(x) P_X(x') P_U(u) {\mathbf{E}}_k [\delta _{g(x,h(k,x)),g(x',u)}] \\&\,=\,\mathrm {Col}(g(X,U)) \,=\,\mathrm {Col}_{\overline{{\mathcal {E}}}}(g(X,U)) \mathrm {Col}(X)\\&\quad + \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1-\mathrm {Col}(X)) \, . \end{aligned}$$

where \({\mathcal {E}}\) is defined as above. Note that the only difference between the expression above and that in (11) is that even when \(X=X'\), a collision is not guaranteed.


$$\begin{aligned} \sum _s P_{g(X,U)}(s)^2&\,=\,\mathrm {Col}(g(X,U))\\&\,=\,\mathrm {Col}_{\overline{{\mathcal {E}}}}(g(X,U)) \mathrm {Col}(X) + \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1-\mathrm {Col}(X)) \end{aligned}$$

as well. By combining the above, we have

$$\begin{aligned} {\mathbf{E}}_k\bigl [ D\bigl (g(X,Y_k), f(X,U)\bigr ) \bigr ]= & {} \mathrm {Col}(X) + \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1-\mathrm {Col}(X)) \\&-\,2 (\mathrm {Col}_{\overline{{\mathcal {E}}}}(g(X,U)) \mathrm {Col}(X)\\&+\,\mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1-\mathrm {Col}(X))) \\&+\,\mathrm {Col}_{\overline{{\mathcal {E}}}}(g(X,U)) \mathrm {Col}(X) + \mathrm {Col}_{{\mathcal {E}}}(g(X,U)) (1{-}\mathrm {Col}(X)) \\= & {} (1-\mathrm {Col}_{\overline{{\mathcal {E}}}}(g(X,U)))\mathrm {Col}(X)\\\le & {} \mathrm {Col}(X). \end{aligned}$$

To complete the proof, we can plug the bound above into (10):

$$\begin{aligned}&\Delta \bigl ((K,g(X,h(K,X))), (K,g(X,U))\bigr ) \,\le \,\frac{1}{2} \sqrt{|S| \, {\mathbf{E}}_k \bigl [ D\bigl (g(X,h(k,X)), g(X,U)\bigr ) \bigl ]} \\&\quad \,\le \,\frac{1}{2} \sqrt{|S|\mathrm {Col}(X)}. \end{aligned}$$

By the assumption on the min-entropy of X, the collision probability \(\mathrm {Col}(X)\) is at most \(4 {\hat{\varepsilon }}^2 / |S|\). So the statistical distance \(\Delta \bigl ((K,g(X,h(K,X))), (K,g(X,U))\bigr )\) is at most \({\hat{\varepsilon }}\), as desired.\(\square \)

Appendix 2: Security of OAEP Under Key-Independent Chosen-Plaintext Attack

The commonly-accepted notions of security for encryption ask for privacy with respect to messages that may depend on the public key. We define here a notion of privacy for messages not depending on the public key. We mention that such a definition appears for example in the work of Micali et al. [44] (under the name “three-pass," versus “one-pass," cryptosystem), in the text of Goldreich [30], and in the context of the recent work on deterministic encryption [2].

The definition. To an encryption scheme \(\Pi = ({\mathcal {K}}, {\mathcal {E}},{\mathcal {D}})\) and an adversary \(B = (B_1, B_2)\) we associate


We require \(|m_0| = |m_1|\) above. Define the indki-cpa advantage of B against \(\Pi \) as

$$\begin{aligned} \mathbf {Adv}^{\mathrm {indki\text{- }cpa}}_{\Pi ,B}(k) = 2 \cdot \Pr \left[ \, \mathbf {Exp}^{\mathrm {indki\text{- }cpa}}_{\Pi ,B}(k) \,{\Rightarrow }\,1 \,\right] - 1. \end{aligned}$$

Remarks. While non-standard, KI security seems adequate for some applications. For example, in [30] Goldreich points out that high-level applications that use encryption as a tool do so in a key-oblivious manner, and Bellare et al. [2] argue that in real life public keys are abstractions hidden in our software, so messages are unlikely to depend on them. KI security also suffices for hybrid encryption.

The result. We can show a standard model instantiation under KI security directly from Lemma 4.5, where G is any pairwise-independent function. This is captured by the theorem below.

Theorem 8.1

Let \(\mathsf {LTDP}= ({\mathcal {F}}, {\mathcal {F}}')\) be an LTDP with residual leakage \(\ell \), and let \(\mathsf {OAEP}\) be the encryption scheme associated to \({\mathcal {F}}\), hash functions GH, and a parameter \(k_0 < k\). Suppose G is pairwise-independent. Let \(\varepsilon > 0\). Then for any \(k_0 \ge \ell + 2 \log (1/\varepsilon ) - 2\) and any INDKI-CPA adversary B against \(\mathsf {OAEP}\), there is a distinguisher D against \(\mathsf {LTDP}\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathrm {indki\text{- }cpa}}_{\mathsf {OAEP},B}(k) \,\le \,\mathbf {Adv}^{\mathrm {ltdp}}_{\mathsf {LTDP},D}(k) + \varepsilon . \end{aligned}$$

Furthermore, the running-time of D is the time to run B.

As we mentioned, the proof is a simple hybrid argument concluding by Lemma 4.5.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kiltz, E., O’Neill, A. & Smith, A. Instantiability of RSA-OAEP Under Chosen-Plaintext Attack. J Cryptol 30, 889–919 (2017). https://doi.org/10.1007/s00145-016-9238-4

Download citation


  • RSA
  • OAEP
  • Padding-based encryption
  • Lossy trapdoor functions
  • Leftover hash lemma
  • Standard model