Simplified OAEP for the RSA and Rabin Functions

  • Dan Boneh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


Optimal Asymmetric Encryption Padding (OAEP) is a technique for converting the RSA trapdoor permutation into a chosen cipher-text secure system in the random oracle model. OAEP padding can be viewed as two rounds of a Feistel network. We show that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model. We show that only one round of a Feistel network is sufficient. The proof of security uses the algebraic properties of the RSA and Rabin functions.


Random Oracle Model Challenge Ciphertext Choose Ciphertext Attack Real Attack Decryption Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols”, In ACM conference on Computers and Communication Security, pp. 62–73, 1993.Google Scholar
  2. 2.
    M. Bellare, P. Rogaway, “Optimal asymmetric encryption”, Eurocrypt’ 94, pp. 92–111, 1994.Google Scholar
  3. 3.
    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, “Relations among notions of security for public-key encryption schemes”, in proc. Crypto’ 98, pp. 26–45, 1998.Google Scholar
  4. 4.
    D. Boneh, R. Venkatesan, “Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes”, in proc. Crypto’ 96, pp. 129–142, 1996.Google Scholar
  5. 5.
    R. Canetti, O. Goldreich, S. Halevi, “The random oracle model, revisited”, in proc. STOC’ 98.Google Scholar
  6. 6.
    D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, vol. 10, pp. 233–260, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography”, SIAM J. of Computing, Vol. 30(2), pp. 391–437, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, “RSA-OAEP is secure under the RSA assumption”, In proc. Crypto’ 2001, Springer-Verlag, 2001.Google Scholar
  9. 9.
    A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.Google Scholar
  10. 10.
    J. Manger, “A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized in PKCS #1”, In proc. Crypto’ 2001.Google Scholar
  11. 11.
    V. Shoup, “OAEP reconsidered”, In proc. Crypto’ 2001, Springer-Verlag, 2001.Google Scholar
  12. 12.
    C. Rackoff, D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, in proc. Crypto’ 91, pp. 433–444, 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Dan Boneh
    • 1
  1. 1.Computer Science DepartmentStanford UniversityUSA

Personalised recommendations