Paper 2006/223

What Hashes Make RSA-OAEP Secure?

Daniel R. L. Brown

Abstract

Firstly, we demonstrate a pathological hash function choice that makes RSA-OAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSA-OAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSA-OAEP. Secondly, we consider certain types of reductions that could be used to prove the OW-CPA (i.e., the bare minimum) security of RSA-OAEP. We apply metareductions that show if such reductions existed, then RSA-OAEP would be OW-CCA2 insecure, or even worse, that the RSA problem would solvable. Therefore, it seems unlikely that such reductions could exist. Indeed, no such reductions proving the OW-CCA2 security of RSA-OAEP exist.

Note: Re-written for better clarity in response to various comments.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
RSAOAEPProvable SecurityPublic-key EncryptionIND-CCA2OW-CPAImpossibiltiy Results
Contact author(s)
dbrown @ certicom com
History
2007-08-08: revised
2006-07-03: received
See all versions
Short URL
https://ia.cr/2006/223
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2006/223,
      author = {Daniel R.  L.  Brown},
      title = {What Hashes Make RSA-OAEP Secure?},
      howpublished = {Cryptology ePrint Archive, Paper 2006/223},
      year = {2006},
      note = {\url{https://eprint.iacr.org/2006/223}},
      url = {https://eprint.iacr.org/2006/223}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.