eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2006/223

What Hashes Make RSA-OAEP Secure?

Daniel R. L. Brown

Abstract

Firstly, we demonstrate a pathological hash function choice that makes RSA-OAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSA-OAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSA-OAEP. Secondly, we consider certain types of reductions that could be used to prove the OW-CPA (i.e., the bare minimum) security of RSA-OAEP. We apply metareductions that show if such reductions existed, then RSA-OAEP would be OW-CCA2 insecure, or even worse, that the RSA problem would solvable. Therefore, it seems unlikely that such reductions could exist. Indeed, no such reductions proving the OW-CCA2 security of RSA-OAEP exist.

Note: Re-written for better clarity in response to various comments.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
RSAOAEPProvable SecurityPublic-key EncryptionIND-CCA2OW-CPAImpossibiltiy Results
Contact author(s)
dbrown @ certicom com
History
2007-08-08: revised
2006-07-03: received
See all versions
Short URL
https://ia.cr/2006/223
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2006/223,
      author = {Daniel R.  L.  Brown},
      title = {What Hashes Make RSA-OAEP Secure?},
      howpublished = {Cryptology ePrint Archive, Paper 2006/223},
      year = {2006},
      note = {\url{https://eprint.iacr.org/2006/223}},
      url = {https://eprint.iacr.org/2006/223}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.