International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

What Hashes Make RSA-OAEP Secure?

Authors:
Daniel R. L. Brown
Download:
URL: http://eprint.iacr.org/2006/223
Search ePrint
Search Google
Abstract: Firstly, we demonstrate a pathological hash function choice that makes RSA-OAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSA-OAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSA-OAEP. Secondly, we consider certain types of reductions that could be used to prove the OW-CPA (i.e., the bare minimum) security of RSA-OAEP. We apply metareductions that show if such reductions existed, then RSA-OAEP would be OW-CCA2 insecure, or even worse, that the RSA problem would solvable. Therefore, it seems unlikely that such reductions could exist. Indeed, no such reductions proving the OW-CCA2 security of RSA-OAEP exist.
BibTeX
@misc{eprint-2006-21716,
  title={What Hashes Make RSA-OAEP Secure?},
  booktitle={IACR Eprint archive},
  keywords={public-key cryptography / RSA, OAEP, Provable Security, Public-key Encryption, IND-CCA2, OW-CPA, Impossibiltiy Results},
  url={http://eprint.iacr.org/2006/223},
  note={ dbrown@certicom.com 13733 received 30 Jun 2006, last revised 8 Aug 2007},
  author={Daniel R. L. Brown},
  year=2006
}