Recent Results on OAEP Security
This document outlines the security of the OAEP encoding method and the RSAES-OAEP encryption scheme. To summarize, RSAES-OAEP is secure against what is termed adaptive chosen ciphertext attacks. However, OAEP combined with other public-key algorithms different from RSA may not achieve provable security in this strongest sense.
In this dictionary, we give brief descriptions of words and phrases related to the RSAES-OAEP encryption scheme (as well as public-key encryption schemes in general).
RSA Labs submissions
RSA Laboratories has submitted RSAES-OAEP and RSASSA-PSS to the NESSIE project and the Japanese IPA CRYPTREC project. RSAES-OAEP is also submitted to ISO/IEC NP 18033 via the U.S. and Swedish ISO/IEC JTC 1/SC 27 member bodies.
The Public Key Cryptography Standard (PKCS) #1 provides recommendations for the implementation of public-key cryptography based on the RSA algorithm. RSAES-OAEP is included in PKCS #1 v2.0 and in the draft PKCS #1 v2.1. RSASSA-PSS is included in PKCS #1 v2.1 d2 (note however that the specification of RSASSA-PSS in v2.1 d1 is obsolete).
RSAES-OAEP algorithm specification and supporting documentation
This document is a revised version of the algorithm specification submitted to the NESSIE project (see previous link), containing the latest updates on the security of OAEP.
The history of Non-Secret Encryption at the British Communications-Electronics Security Group (CESG)
In 1973, a few years before RSA was invented at M.I.T., the U.K. cryptographer Clifford Cocks invented an RSA variant (using CRT for decryption!). Unfortunately, his discovery was classified, as were James Ellis' survey about the possibility of non-secret encryption from 1970 and Malcolm Williamson's invention of a Diffie-Hellman analog from 1974 (with improvements in 1976). Recently, the results were released; PDF documents can be downloaded from the CESG web site.