Strengthening Security of RSA-OAEP
- 872 Downloads
OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA’s PKCS #1 v2.1 and is part of several standards. RSA-OAEP was shown to be IND-CCA secure in the random oracle model under the standard RSA assumption. However, the reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We first observe that the situation is even worse because the analysis was done in the single-query setting, i.e. where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multi-query setting imply that the guaranteed concrete security can degrade by a factor of q, which is the number of challenge ciphertexts an adversary can get. We re-visit a very simple but not well-known modification of the RSA-OAEP encryption which asks that the RSA function is only applied to a part of the OAEP transform. We show that in addition to the previously shown fact that security of this scheme is tightly related to the hardness of the RSA problem, security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, this scheme can be used to encrypt long messages without using hybrid encryption. We believe that this modification to the RSA-OAEP is easy to implement, and the benefits it provides deserves the attention of standard bodies.
KeywordsEncryption Scheme Random Oracle Random Oracle Model Challenge Ciphertext Decryption Oracle
Unable to display preview. Download preview PDF.
- 4.Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, Fairfax, Virginia, USA, November 3–5, pp. 62–73. ACM Press, New York (1993)Google Scholar
- 13.Kaliski, B.: TWIRL and RSA key size. RSA Laboratories (2003)Google Scholar
- 14.Kobara, K., Imai, H.: OAEP++: A very simple way to apply OAEP to deterministic OW-CPA primitives. Cryptology ePrint Archive, Report 2002/130 (2002), http://eprint.iacr.org/
- 16.Pointcheval, D.: How to encrypt properly with RSA. RSA Laboratories’ CryptoBytes 5(1), 9–19 (Winter/Spring 2002) Google Scholar
- 18.Shoup, V.: A proposal for an ISO standard for public-key encryption. ISO/IEC JTC 1/SC27 (2001)Google Scholar
- 19.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. cryptology eprint archive, report 2004/332 (2004), http://eprint.iacr.org/