**What Hashes Make RSA-OAEP Secure?**

*Daniel R. L. Brown*

**Abstract: **Firstly, we demonstrate a pathological hash function choice that makes
RSA-OAEP insecure. This shows that at least some security property is
necessary for the hash functions used in RSA-OAEP. Nevertheless, we
conjecture that only some very minimal security properties of the hash
functions are actually necessary for the security of RSA-OAEP.
Secondly, we consider certain types of reductions that could be used
to prove the OW-CPA (i.e., the bare minimum) security of RSA-OAEP. We
apply metareductions that show if such reductions existed, then
RSA-OAEP would be OW-CCA2 insecure, or even worse, that the RSA
problem would solvable. Therefore, it seems unlikely that such
reductions could exist. Indeed, no such reductions proving the
OW-CCA2 security of RSA-OAEP exist.

**Category / Keywords: **public-key cryptography / RSA, OAEP, Provable Security, Public-key Encryption, IND-CCA2, OW-CPA, Impossibiltiy Results

**Date: **received 30 Jun 2006, last revised 8 Aug 2007

**Contact author: **dbrown at certicom com

**Available format(s): **PDF | BibTeX Citation

**Note: **Re-written for better clarity in response to various comments.

**Version: **20070808:185853 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]