Cryptography Reference
In-Depth Information
=
=
Figure 14.1
OAEP padding scheme.
OAEP(
m
)=(
s, t
)=
m
⊕
g
(
r
)
r
⊕
h
(
m
⊕
g
(
r
))
s
t
This value can then be taken as input for an asymmetric encryption system,
such as the RSA asymmetric encryption system. The resulting system is sometimes
referred to as RSA-OAEP.
Bellare and Rogaway argued that OAEP provides semantic security against
chosen-ciphertext attacks in the random oracle model. Hence, quite naturally, OAEP
was adopted in PKCS #1 version 2.0. In 2001, however, Victor Shoup showed that
the security arguments provided by Bellare and Rogaway are formally incorrect
[17]. A formal and complete proof of the semantic security against adaptive chosen-
ciphertext attacks provided by RSA-OAEP was given in [18]. Unfortunately, this
security proof does not guarantee security for key sizes used in practice (due to
the inefficiency of the security reduction). Consequently, a few alternative padding
schemes have been proposed in the literature that admit more efficient proofs and
provide adequate security for key sizes used in practice (see, for example, [19]). The
development and formal treatment of padding schemes for asymmetric encryption
is still a hot research topic in contemporary cryptography.
14.4
IDENTITY-BASED ENCRYPTION
In an asymmetric encryption system, every user has a public key pair, and the keys
the pair consist of look somehow arbitrary and random. Consequently, one usually