How to Strengthen the Security of RSA-OAEP

Abstract

OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. OAEP was shown to be IND-CCA secure assuming the underlying trapdoor permutation is partial one-way, and RSA-OAEP was proven to be IND-CCA under the standard RSA assumption, both in the random oracle model. However, the latter reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We observe that the situation is even worse because both analyses were done in the single-query setting, i.e., where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multiquery setting imply that the guaranteed concrete security can degrade by a factor of <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$q$</tex> </formula> , which is the number of challenge ciphertexts an adversary can get. We propose a very simple modification of the OAEP encryption, which asks that the trapdoor permutation instance is only applied to a part of the OAEP transform. We show that IND-CCA security of this scheme is tightly related to the hardness of one-wayness of the trapdoor permutation in the random oracle model. This implies tight security for RSA-OAEP under the RSA assumption. We also show that security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, OAEP can be used to encrypt long messages without using hybrid encryption. We believe that this modification is easy to implement, and the benefits it provides deserves the attention of standard bodies.