Taxonomic Consideration to OAEP Variants and Their Security

  • Yuichi Komano
  • Kazuo Ohta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


In this paper, we first model the variants of OAEP and SAEP, and establish a systematic proof technique, the comprehensive event dividing tree, and apply the technique to prove the security of the (120) variants of OAEP and SAEP. Moreover, we point out the concrete attack procedures against all insecure schemes; we insist that the security proof failure leads to some attacks. From the security consideration, we find that one of them leads to a scheme without a redundancy; the scheme is not \(\mathcal{PA}\) (plaintext aware) but IND-CCA2 secure. Finally, from the comparison of the variants, we conclude that some of them are practical in terms of security tightness and short bandwidth.


OAEP SAEP provably secure reduction Padding 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proc. of the 1st CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal asymetric encryption — how to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Boneh, D.: Simplified OAEP for the RSA and Rabin Functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 275–291. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is chosenciphertext secure under the RSA assumption. Journal of Cryptology 17(2), 81–104 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Kobara, K., Imai, H.: OAEP++: A very simple way to apply OAEP to deterministic OW-CPA primitives (2002), Available at
  7. 7.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Yuichi Komano
    • 1
  • Kazuo Ohta
    • 2
  1. 1.Toshiba CorporationKawasakiJapan
  2. 2.The University of Electro-CommunicationsTokyoJapan

Personalised recommendations