Unprovable security of RSA-OAEP in the standard model. Cryptology ePrint Archive, Report 2006/223 (2006) [1 citations — 0 self]
Download:
by Daniel R. L. Brown
http://eprint.iacr.org/2006/223.pdf
Add To MetaCart
Abstract:
Consider the provable security of RSA-OAEP when not instantiated with random oracles. Suppose a security reduction exists to show that finding a plaintext from a RSA-OAEP ciphertext (breaking the basic OW-CPA security) is as hard as the RSA problem. • The reduction can be used in an adaptive chosen ciphertext text (IND-CCA2) attack against RSA-OAEP. • The reduction cannot succeed in the random oracle model, so depends on how RSA-OAEP is instantiated. Therefore, even the most basic security of RSA-OAEP without random oracles seems unprovable.
Citations
| 72 | Finding a small root of a univariate modular equation – Coppersmith - 1996 |
| 67 | RSA–OAEP is Secure under the RSA Assumption – Fujisaki, Okamoto, et al. - 2001 |
| 8 | Discrete-log-based signatures may not be equivalent to discrete log – Paillier, Vergnaud - 2005 |
| 7 | Boneh and Ramarathnam Venkatesan. Breaking RSA may not be equivalent to factoring – Dan - 1998 |
