Simplified OAEP for the RSA and Rabin functions

Authors: D. Boneh

Optimal Asymmetric Encryption Padding (OAEP) is a technique for converting the RSA trapdoor permutation into a chosen ciphertext secure system in the random oracle model. OAEP padding can be viewed as two rounds of a Feistel network. We show that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model. We show that only one round of a Feistel network is sufficient. The proof of security for this simpler padding is more efficient than the proof for OAEP, resulting in much tighter security bounds. The proof of security uses the algebraic properties of the RSA and Rabin functions.

In proceedings of Crypto '2001, Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, pp. 275-291, 2001

Full paper: PostScript         [first posted 3/2001 ]