Cryptology ePrint Archive: Report 2006/223
What Hashes Make RSA-OAEP Secure?
Daniel R. L. Brown
Abstract: Firstly, we demonstrate a pathological hash function choice that makes
RSA-OAEP insecure. This shows that at least some security property is
necessary for the hash functions used in RSA-OAEP. Nevertheless, we
conjecture that only some very minimal security properties of the hash
functions are actually necessary for the security of RSA-OAEP.
Secondly, we consider certain types of reductions that could be used
to prove the OW-CPA (i.e., the bare minimum) security of RSA-OAEP. We
apply metareductions that show if such reductions existed, then
RSA-OAEP would be OW-CCA2 insecure, or even worse, that the RSA
problem would solvable. Therefore, it seems unlikely that such
reductions could exist. Indeed, no such reductions proving the
OW-CCA2 security of RSA-OAEP exist.
Category / Keywords: public-key cryptography / RSA, OAEP, Provable Security, Public-key Encryption, IND-CCA2, OW-CPA, Impossibiltiy Results
Date: received 30 Jun 2006, last revised 8 Aug 2007
Contact author: dbrown at certicom com
Available formats: PDF | BibTeX Citation
Note: Re-written for better clarity in response to various comments.
Version: 20070808:185853 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]