|
Abstract : |
The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94, and is widely believed to be secure against adaptive chosen ciphertext attack. The main justication for this belief is a proof of security in the random oracle model. This paper shows conclusively that this justication is invalid. First, it observes that there appears to be a non-trivial gap in the proof. Second, it proves a theorem that essentially says that this gap cannot be lled using standard proof techniques of the type used in Bellare and Rogaway's paper, and elsewhere in the cryptographic literature. It should be stressed that these results do not imply that RSAOAEP in insecure. They simply undermine the justication that no attacks are possible in general. In fact, we make the observation that RSA-OAEP with encryption exponent 3 actually is provably secure in the random oracle model, but the argument makes use of special properties of the RSA function. However, this should not necessarily be viewed as a good reason to use RSA-OAEP with encryption exponent 3. The paper also presents a new scheme OAEP+ along with a complete proof of security in the random oracle model. OAEP+ is essentially just as ecient as OAEP. 1, |
