How to Strengthen the Security of RSA-OAEP

OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. OAEP was shown to be IND-CCA secure assuming the underlying trapdoor permutation is partial one-way, and RSA-OAEP was proven to be IND-CCA under the standard RSA assumption, both in the random oracle model. However, the latter reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We observe that the situation is even worse because both analyses were done in the single-query setting, i.e., where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multiquery setting imply that the guaranteed concrete security can degrade by a factor of q , which is the number of challenge ciphertexts an adversary can get. We propose a very simple modification of the OAEP encryption, which asks that the trapdoor permutation instance is only applied to a part of the OAEP transform. We show that IND-CCA security of this scheme is tightly related to the hardness of one-wayness of the trapdoor permutation in the random oracle model. This implies tight security for RSA-OAEP under the RSA assumption. We also show that security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, OAEP can be used to encrypt long messages without using hybrid encryption. We believe that this modification is easy to implement, and the benefits it provides deserves the attention of standard bodies.

[1]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[2]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[3]  D. Pointcheval How to Encrypt Properly with RSA , 2002 .

[4]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[5]  Jacques Stern,et al.  Extended Notions of Security for Multicast Public Key Cryptosystems , 2000, ICALP.

[6]  Yuichi Komano,et al.  Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation , 2003, CRYPTO.

[7]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[8]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[9]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[10]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[11]  Marc Fischlin,et al.  On the Security of OAEP , 2006, ASIACRYPT.

[12]  B. Kaliski,et al.  TWIRL and RSA Key Size , 2003 .

[13]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[14]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[15]  Kazukuni Kobara,et al.  OAEP++ : A Very Simple Way to Apply OAEP to Deterministic OW-CPA Primitives , 2002, IACR Cryptol. ePrint Arch..

[16]  Eike Kiltz,et al.  Chosen Ciphertext Security with Optimal Ciphertext Overhead , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[17]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[18]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[19]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[20]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[21]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.