It has been noticed that the plain RSA public key encryption cannot be used directly for practical purpose, paddings are required, in order to rule out basic attacks.
The RSA–PKCS #1 v1.5 Encryption
A widely deployed padding for RSA-based encryption is defined in the PKCS #1 v1.5 standard: for any modulus \(2^{8(k-1)}\leq n < 2^{8k}\), in order to encrypt a message m, one defines the k-byte long string \(M = 02\parallel r \parallel 0 \parallel m\), where r is a string of randomly chosen non-zero bytes (at least 8). This block is thereafter encrypted with the RSA permutation, \(C = M^{e} {\rm mod} n\) (see modular arithmetic). When decrypting a ciphertext C, the decryptor applies RSA inversion by computing \(M = C^{d} {\rm mod} n\) and then checks that the result Mmatches the expected’ format. If so, the decryptor outputs the last part as the plaintext. Otherwise, the ciphertext is rejected. Intuitively, this padding seems sufficient to rule out all the well-known weaknesses of the...
This is a preview of subscription content, log in via an institution to check access.
References
Bellare, M. and P. Rogaway (1993). “Random oracles are practical: A paradigm for designing efficient protocols.” Proceedings of the 1st CCS. ACM Press, New York, 62–73.
Bellare, M. and P. Rogaway (1995). “Optimal asymmetric encryption—how to encrypt with RSA.” Advances in Cryptology—EUROCRYPT'94, Lecture Notes in Computer Science, vol. 950, ed. A. De Santi. Springer-Verlag, Berlin, 92–111.
Bleichenbacher, D. (1998). “A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS #1.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. H. Krawazy. Springer-Verlag, Berlin, 1–12.
Blum, M. and S. Micali (1984). How to generate cryptographically strong sequences of pseudorandom bits. SIAM Journal on Computing, 13, 850–864.
Boneh, D. (2001). “Simplified OAEP for the RSA and rabin functions.” Advances in Cryptology—CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, ed. J. Kilian. Springer-Verlag, Berlin, 275–291.
Boneh, D. and G. Durfee (2000). “Cryptanalysis of RSA with private key d less than N 0.292.” IEEE Transactions on Information Theory, 46 (4), 1339–1349.
Fiat, A. and A. Shamir (1987). “How to prove yourself: Practical solutions of identification and signature problems.” Advances in Cryptology—CRYPTO'86, Lecture Notes in Computer Science, vol. 263, ed. A. Odlyzko. Springer-Verlag, Berlin, 186–194.
Fujisaki, E., T. Okamoto, D. Pointcheval, and J. Stern (2001). “RSA–OAEP is secure under the RSA assumption.” Advances in Cryptology—CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, ed. J. Kilian. Springer-Verlag, Berlin, 260–274.
Håstad, J. (1988). “Solving simultaneous modular equations of low degree.” SIAM Journal of Computing, 17, 336–341.
Miller, G. (1976). “Riemann's hypothesis and tests for primality.” Journal of Computer and System Sciences, 13, 300–317.
Naor, M. and M. Yung (1989). “Universal one-way hash functions and their cryptographic applications.” Proceedings of the 21st STOC. ACM Press, New York, 33–43.
Rabin, M.O. (1978). “Digitalized signatures.” Foundations of Secure Computation, eds. R. Lipton and R. De Millo. Academic Press, New York, 155–166.
Rackoff, C. and D.R. Simon (1992). “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack.” Advances in Cryptology—CRYPTO'91, Lecture Notes in Computer Science, vol. 576, ed. J. Feigenbaum. Springer-Verlag, Berlin, 433–444.
Rivest, R., A. Shamir, and L. Adleman (1978). “A method for obtaining digital signatures and public key cryptosystems.” Communications of the ACM, 21 (2), 120–126.
Shoup, V. (2001). “OAEP reconsidered.” Advances in Cryptology—CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, ed. J. Kilian. Springer-Verlag, Berlin, 239–259.
Wiener, M. (1990). “Cryptanalysis of short RSA secret exponents.” IEEE Transactions on Information Theory, 36 (3), 553–558.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this entry
Cite this entry
Pointcheval, D. (2005). OAEP: Optimal Asymmetric Encryption Padding. In: van Tilborg, H.C.A. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA . https://doi.org/10.1007/0-387-23483-7_284
Download citation
DOI: https://doi.org/10.1007/0-387-23483-7_284
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-23473-1
Online ISBN: 978-0-387-23483-0
eBook Packages: Computer ScienceReference Module Computer Science and Engineering