Optimal Asymmetric Encryption Padding

Optimal Asymmetric Encryption Padding on German about Optimal asymmetric encryption padding, often abbreviated as OAEP, is a cryptographic padding process. It is a special form of Feistelnetzwerks with which in the random oracle model from any Falltürpermutation against Chosen - plaintext attacks semantically secure cryptosystem can be built. The method was published in 1994 by Mihir Bellare and Phillip Rogaway.

Method

It is a security parameter, and so that an attacker can only perform as significantly less computational steps.

Furthermore, were a Falltürpermutation to messages with bits, and the length of the messages to be transmitted.

Finally cryptographic hash functions are and.

Encoding

To encrypt a bit message, the procedure is now as follows:

  • Is chosen as a random sequence of bits.
  • Then one calculates
  • The ciphertext is then given as:

Decryption

In order to reconstruct the message, it performs the following steps:

  • First to use the trapdoor to
  • Now we reconstructed the random value as
  • Finally, the message gets back as

Variants

By a simple modification of the above protocol can also IND - CCA1 security, thus achieve security against Chosen - ciphertext attacks. To do this, reduce the length of the message on bits and concatenated it with zeros. When decrypting is verified whether the reconstructed value has the correct form, and otherwise breaks off.

Victor Shoup presented an extension of the method by which for any Falltürpermutation also IND - CCA2 security can be achieved.

RSA - OAEP

The reason for the development of OAEP was searching for a way to encrypt with RSA secure (in the sense of IND - CCA2 security). If used in OAEP as Falltürpermutation RSA, the method is called RSA - OAEP. Although OAEP not achieved in the general case of IND - CCA2 security, this is the case for RSA - OAEP in the random oracle model and under the RSA assumption.

Since the result of OAEP encodings is a number between 0 and, the - bit RSA modulus but when is smaller, it may happen that the result of OAEP encodings a larger numerical value than the RSA modulus. However, this should not happen, because the decryption is no longer unique in this case. Therefore, the OAEP encoding must be repeated with a new random in such a case.

RSA - OAEP is standardized in PKCS # 1 and RFC 3447, where the hash function used is a parameter of the method was therefore not fixed. Under these circumstances, ie without random oracles, RSA - OAEP is secure under the Phi - hiding assumption IND - CPA, if the hash function used t -wise independent is. In the standardization, however, a change was made by the procedure is no longer provably secure: To avoid the above-mentioned repeating the OAEP encoding is specified that the result of OAEP must be shorter by 8 bits as the RSA modulus; the first 8 bits are filled with 0. The recipient must decrypt the check whether the first 8 bits have the value 0, and abort if not. If an attacker can distinguish whether a decryption from this or any other reason has been canceled, there is an attack that recovers the complete plaintext without the secret key. For this he needs only about 1,000 requests to an error oracle which outputs only whether and why a decryption attempt failed. Such oracles can occur for example in TLS / SSL connections, there the attack was carried out in practice.

Credentials

  • Cryptologic method
Concatenation
612375
de